crypt_shared: failure when using Change Streams

XMLWordPrintableJSON

    • Type: Bug
    • Resolution: Unresolved
    • Priority: Major - P3
    • None
    • Affects Version/s: None
    • Component/s: Queryable Encryption
    • None
    • Server Security
    • ALL
    • Hide

      1. Create a QE-enabled collection in a replica set
      2. Create an AutoEncryptionOpts object that uses crypt_shared
      3. Instantiate an encrypted MongoDB client with the AutoEncryptionOpts
      4. Attempt to open a watch on the QE-enabled collection

      Show
      1. Create a QE-enabled collection in a replica set 2. Create an AutoEncryptionOpts object that uses crypt_shared 3. Instantiate an encrypted MongoDB client with the AutoEncryptionOpts 4. Attempt to open a watch on the QE-enabled collection
    • Server Security 2026-05-22, Server Security 2026-06-05, Server Security 2026-06-19
    • None
    • None
    • None
    • None
    • None
    • None
    • None

      I am using a MongoDB cluster that is a three-member replica set running MongoDB 8.3.
      When attempting to open a watch on a Change Stream with an encrypted MongoDB client that uses crypt_shared an exception is raised:

      csfle "analyze_query" failed: The $changeStream stage is only supported on replica sets [Error 2, code 40573]

      If, when using pymongo, I set bypass_query_analysis=True which prevents crypt_shared from being loaded or used the watch on the Change Stream is opened without issue.

      Whilst watching a Change Stream is a read-only process I would have assumed that I would not require a seperate explicit encryption-only MongoDB encrypted client to open a Change Stream on a QE-enabled collection.

            Assignee:
            Owen Chen
            Reporter:
            Brett Gray
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated: