Which versions of MongoDB Server are affected by CVE-2026-8053?

CVE-2026-8053 is a high-severity arbitrary code execution vulnerability in MongoDB Server (versions 5.0-8.3) affecting time-series collections that requires authenticated database write access.. A patch is available.

MongoDB Server CVE-2026-8053

Q: What is the CVSS score of CVE-2026-8053?

CVE-2026-8053 has a CVSS 4.0 base score of 8.7 (High). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.1%.

EUVD-2026-29888 HIGH

Out-of-bounds Write (CWE-787)

2026-05-12 mongodb

GHSA-pr63-cc36-q84h

RCE Buffer Overflow Memory Corruption

8.7

CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Lifecycle Timeline

Patch available

May 13, 2026 - 20:32 EUVD

Analysis Updated

May 13, 2026 - 16:03 vuln.today

v2 (cvss_changed)

Re-analysis Queued

May 13, 2026 - 15:52 vuln.today

cvss_changed

CVSS changed

May 13, 2026 - 15:52 NVD

8.7 (HIGH)

Analysis Generated

May 13, 2026 - 01:15 vuln.today

CVE Published

May 12, 2026 - 23:59 nvd

NONE

DescriptionNVD

An issue in MongoDB Server's time-series collection implementation allows an authenticated user with database write privileges to trigger an out-of-bounds memory write in the mongod process. The issue results from an inconsistency in the internal field-name-to-index mapping within the time-series bucket catalog. Under certain conditions this can result in arbitrary code execution.

This issue impacts MongoDB Server v5.0 versions prior to 5.0.33, v6.0 versions prior to 6.0.28, v7.0 versions prior to 7.0.34, v8.0 versions prior to 8.0.23, v8.2 versions prior to 8.2.9 and v8.3 versions prior to 8.3.2.

AnalysisAI

Out-of-bounds memory write in MongoDB Server's time-series collection feature enables arbitrary code execution by authenticated users with database write privileges. Affects all active release branches (5.0 through 8.3) when exploiting field-name-to-index mapping inconsistencies in the time-series bucket catalog. …

RemediationAI

Within 24 hours: identify all MongoDB instances running versions 5.0-8.3 with time-series collections enabled; audit and revoke unnecessary database write privileges; review authentication logs for unauthorized access. Within 7 days: implement strict network segmentation isolating MongoDB from untrusted networks; rotate all database credentials and application service account passwords; disable time-series collections if not operationally required. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-8053 vulnerability details – vuln.today

Back

MongoDB Server CVE-2026-8053

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Analysis

Full analysis requires sign-in

Share

MongoDB Server CVE-2026-8053

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code