A user authorized to performing a specific type of query may trigger a denial of service by issuing a generic explain command on a find query. This issue affects: MongoDB Inc. MongoDB Server v4.0 versions prior to 4.0.6; MongoDB Server v3.6 versions prior to 3.6.11. References: https://jira.mongodb.org/browse/SERVER-38275
Upstream patches: https://github.com/mongodb/mongo/commit/722f06f3217c029ef9c50062c8cc775966fd7ead [master] https://github.com/mongodb/mongo/commit/d315547544d7146b93a8e6e94cc4b88cd0d19c95 [v4.0] https://github.com/mongodb/mongo/commit/5c7c6729c37514760fd34da462b6961a2e385417 [v3.6]
External References: https://jira.mongodb.org/browse/SERVER-38275