Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
6DescriptionCVE.org
An issue in MongoDB Server's time-series collection implementation allows an authenticated user with database write privileges to trigger an out-of-bounds memory write in the mongod process. The issue results from an inconsistency in the internal field-name-to-index mapping within the time-series bucket catalog. Under certain conditions this can result in arbitrary code execution.
This issue impacts MongoDB Server v5.0 versions prior to 5.0.33, v6.0 versions prior to 6.0.28, v7.0 versions prior to 7.0.34, v8.0 versions prior to 8.0.23, v8.2 versions prior to 8.2.9 and v8.3 versions prior to 8.3.2.
AnalysisAI
Out-of-bounds memory write in MongoDB Server's time-series collection feature enables arbitrary code execution by authenticated users with database write privileges. Affects all active release branches (5.0 through 8.3) when exploiting field-name-to-index mapping inconsistencies in the time-series bucket catalog. EPSS score of 0.06% (20th percentile) suggests low widespread exploitation probability despite high CVSS 8.7, but requires authentication and database privileges, limiting attack surface to insider threats or compromised application credentials. No public exploit code or CISA KEV listing identified at time of analysis.
Technical ContextAI
This vulnerability resides in MongoDB's time-series collection implementation, a specialized storage optimization introduced in MongoDB 5.0 for efficiently handling temporal data streams. Time-series collections use bucketed storage where documents are compressed into internal bucket structures with field-name-to-index mappings to reduce disk footprint. The CWE-787 (Out-of-Bounds Write) flaw occurs in the mongod process when the bucket catalog's internal mapping becomes inconsistent during write operations. This memory corruption primitive can be leveraged to overwrite adjacent memory regions, potentially hijacking control flow. The issue spans six major release branches spanning from MongoDB 5.0 (released July 2021) through the current 8.3 development series, indicating a longstanding architectural flaw in the time-series bucket management code rather than a recent regression. The CPE string confirms this affects MongoDB Server specifically, not community forks or downstream distributions.
RemediationAI
Upgrade to patched MongoDB Server versions: 5.0.33, 6.0.28, 7.0.34, 8.0.23, 8.2.9, or 8.3.2 or later as appropriate for your deployment branch. Vendor-confirmed fix versions are available through MongoDB Download Center and package repositories. Refer to JIRA SERVER-126021 for official upgrade guidance and release notes. Organizations unable to immediately patch should implement compensating controls: (1) Restrict database write privileges to only essential application service accounts using MongoDB role-based access control (use roles like read or readWrite instead of dbOwner or root where possible); (2) Deploy network segmentation to limit MongoDB access to trusted application tiers only, blocking direct database access from user networks; (3) Enable MongoDB audit logging to monitor anomalous write patterns to time-series collections; (4) If time-series collections are not operationally required, consider migrating data to standard collections until patching is complete (trade-off: loss of storage optimization and query performance benefits specific to temporal data). Note that disabling time-series features entirely requires data migration and application code changes, making rapid patching the preferred remediation path for production systems.
More in Mongodb Server
View allMongoDB Server sharded clusters are vulnerable to use-after-free memory corruption when authenticated users with read pe
Remote unauthenticated denial-of-service in MongoDB Server's BSON validation layer allows attackers to crash the mongod
Pre-authentication denial-of-service in MongoDB Server allows unauthenticated remote clients to crash the database proce
Authenticated users can crash MongoDB Server by chaining specific server-side JavaScript operations ($_internalJsEmit or
Memory disclosure and denial-of-service in MongoDB Server allows any authenticated user with aggregate command privilege
MongoDB Server exposes an availability and data integrity risk allowing any low-privileged authenticated user to crash t
Remote denial-of-service in MongoDB Server allows an authenticated user to crash the mongod process by submitting an agg
Denial of service in MongoDB Server allows an authenticated user to crash the database process by issuing a geospatial q
Denial of service in MongoDB Server 8.0 allows authenticated users with aggregation pipeline privileges to crash the ser
Denial of service in MongoDB Server allows authenticated users to trigger an assertion failure by running aggregation pi
Denial of service in MongoDB Server allows authenticated remote attackers to crash the database process by submitting ag
Denial of service in MongoDB Server occurs when an authenticated user issues a $changeStreams aggregation combined with
Same weakness CWE-787 – Out-of-bounds Write
View allSame technique Memory Corruption
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-29888
GHSA-pr63-cc36-q84h