MongoDB MCP Server
Official MongoDB MCP server for database CRUD operations, aggregation, schema inspection, Atlas cloud cluster management, Atlas Streams, local deployments, and knowledge base search.
Score Breakdown
Server Info
- Package
- mongodb-mcp-server
- Registry
- npm
- Repository
- mongodb-js/mongodb-mcp-server
- Maintainer
- MongoDBVendor
- Category
- Developer Tools
- Tags
- nosqldatabasemongodb
- Last Scanned
- 28 May 2026
Findings
6 issuesAuthentication & Identity
HIGHNo MCP OAuth spec implementation
Server does not implement the MCP OAuth authorization server spec. The platform must handle the full OAuth flow, token management, and credential injection externally.
Implement the MCP OAuth spec (.well-known/oauth-authorization-server) for native per-user authentication.
HIGHEnv var credentials with no rotation mechanism
Credentials (MDB_MCP_CONNECTION_STRING, MDB_MCP_API_CLIENT_ID, MDB_MCP_API_CLIENT_SECRET) are read from environment variables at startup. Rotation requires restarting the server process. All requests share the same service account credential.
Support dynamic credential refresh or secrets manager integration.
Tool Schema Quality
HIGHRequired fields missing on 1 write operations
Write tools without required field declarations: atlas-local-create-deployment.
Add required arrays to all write/delete tool schemas.
MEDIUMOnly 2 of 48 schemas have parameter constraints
Most schemas lack maxLength, enum, or pattern constraints on string parameters.
Add constraints to string parameters, especially on write operations.
LLM Safety
HIGHTool descriptions contain instructional language
Descriptions include directives that could influence LLM behavior beyond tool selection.
Remove instructional language. Descriptions should be purely factual.
Data Exposure
MEDIUM6 list operations lack pagination
find tool has a configurable limit (default 10) and a 1MB response bytes ceiling (responseBytesLimit). aggregate and aggregate-db pipelines can return unlimited results without a built-in cap unless the pipeline includes a $limit stage. list-databases, list-collections, collection-indexes have no documented pagination or result caps. find supports projection for field selection. atlas-get-performance-advisor limits slow query logs to a configured default count. export tool writes to file, bypassing in-memory size limits.
Add limit/offset or cursor-based pagination.
Tools
48 total| Name | Description | Risk |
|---|---|---|
| connect | Connect to a MongoDB instance using a connection string. | write |
| switch-connection | Switch to a different active MongoDB connection. | write |
| list-databases | List all databases on the connected MongoDB instance. | read |
| list-collections | List collections in a database. | read |
| collection-indexes | List indexes on a collection. | read |
| collection-schema | Inspect the inferred schema of a collection by sampling documents. | read |
| collection-storage-size | Get the storage size statistics for a collection. | read |
| db-stats | Get statistics for a database. | read |
| find | Query documents in a MongoDB collection using EJSON filter syntax. Limit defaults to 10; responseBytesLimit defaults to 1MB. | read |
| count | Count documents in a collection matching a filter. | read |
| aggregate | Run an aggregation pipeline on a collection. | read |
| aggregate-db | Run a database-level aggregation pipeline (e.g., $listLocalSessions, cross-collection). | read |
| explain | Explain the execution plan for a query or aggregation. | read |
| export | Export documents from a collection to a file. | read |
| mongodb-logs | Retrieve recent MongoDB server logs. | read |
| insert-many | Insert multiple documents into a collection. | write |
| update-many | Update multiple documents in a collection matching a filter. | write |
| delete-many | Delete multiple documents matching a filter from a collection. | write |
| create-collection | Create a new collection in a database. | write |
| create-index | Create an index on a collection. | write |
| rename-collection | Rename a collection. | write |
| drop-collection | Drop (delete) a collection and all its documents. Destructive admin operation. | admin |
| drop-database | Drop an entire database and all its collections. Destructive admin operation. | admin |
| drop-index | Drop an index from a collection. | write |
| atlas-list-clusters | List Atlas clusters in a project. | read |
| atlas-list-projects | List Atlas projects in an organization. | read |
| atlas-inspect-cluster | Get configuration details for an Atlas cluster. | read |
| atlas-create-free-cluster | Create a free-tier Atlas cluster. | write |
| atlas-upgrade-cluster | Upgrade an Atlas cluster tier or configuration. | write |
| atlas-create-access-list | Add IP addresses to Atlas project access list. | write |
| atlas-inspect-access-list | Get the current IP access list for an Atlas project. | read |
| atlas-list-db-users | List database users for an Atlas project. | read |
| atlas-create-db-user | Create a database user in Atlas. | write |
| atlas-create-project | Create a new Atlas project. | write |
| atlas-list-orgs | List Atlas organizations. | read |
| atlas-connect-cluster | Connect to an Atlas cluster (sets up connection string). | write |
| atlas-list-alerts | List alerts for an Atlas project. | read |
| atlas-get-performance-advisor | Get performance advisor recommendations (slow query logs and index suggestions) for an Atlas cluster. Limited to most recent slow queries. | read |
| atlas-streams-discover | Discover Atlas Streams instances and connections. | read |
| atlas-streams-build | Build and deploy an Atlas Streams processor. Typical workflow: create workspace → add connections → deploy processor. | write |
| atlas-streams-manage | Manage Atlas Streams processor lifecycle: start, stop, modify. Common workflow: stop → modify → start. | write |
| atlas-streams-teardown | Tear down an Atlas Streams processor or instance. | admin |
| atlas-local-list-deployments | List local Atlas deployments. | read |
| atlas-local-create-deployment | Create a local Atlas deployment using Docker. | write |
| atlas-local-connect-deployment | Connect to a local Atlas deployment. | write |
| atlas-local-delete-deployment | Delete a local Atlas deployment. Destructive admin operation. | admin |
| list-knowledge-sources | List available MongoDB knowledge sources for documentation search. | read |
| search-knowledge | Search MongoDB knowledge base for documentation and guidance. | read |
Deploy MongoDB MCP Server securely
CompleteFlow adds per-user authentication, permission scoping, and audit logging to any MCP server out of the box.
Deploy on CompleteFlow