Skip to main content

MongoDB Server CVE-2026-8053

| EUVDEUVD-2026-29888 HIGH
Out-of-bounds Write (CWE-787)
2026-05-12 mongodb GHSA-pr63-cc36-q84h
8.7
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

6
Patch available
May 13, 2026 - 20:32 EUVD
Analysis Updated
May 13, 2026 - 16:03 vuln.today
v2 (cvss_changed)
Re-analysis Queued
May 13, 2026 - 15:52 vuln.today
cvss_changed
CVSS changed
May 13, 2026 - 15:52 NVD
8.7 (HIGH)
Analysis Generated
May 13, 2026 - 01:15 vuln.today
CVE Published
May 12, 2026 - 23:59 nvd
NONE

DescriptionCVE.org

An issue in MongoDB Server's time-series collection implementation allows an authenticated user with database write privileges to trigger an out-of-bounds memory write in the mongod process. The issue results from an inconsistency in the internal field-name-to-index mapping within the time-series bucket catalog. Under certain conditions this can result in arbitrary code execution.

This issue impacts MongoDB Server v5.0 versions prior to 5.0.33, v6.0 versions prior to 6.0.28, v7.0 versions prior to 7.0.34, v8.0 versions prior to 8.0.23, v8.2 versions prior to 8.2.9 and v8.3 versions prior to 8.3.2.

AnalysisAI

Out-of-bounds memory write in MongoDB Server's time-series collection feature enables arbitrary code execution by authenticated users with database write privileges. Affects all active release branches (5.0 through 8.3) when exploiting field-name-to-index mapping inconsistencies in the time-series bucket catalog. EPSS score of 0.06% (20th percentile) suggests low widespread exploitation probability despite high CVSS 8.7, but requires authentication and database privileges, limiting attack surface to insider threats or compromised application credentials. No public exploit code or CISA KEV listing identified at time of analysis.

Technical ContextAI

This vulnerability resides in MongoDB's time-series collection implementation, a specialized storage optimization introduced in MongoDB 5.0 for efficiently handling temporal data streams. Time-series collections use bucketed storage where documents are compressed into internal bucket structures with field-name-to-index mappings to reduce disk footprint. The CWE-787 (Out-of-Bounds Write) flaw occurs in the mongod process when the bucket catalog's internal mapping becomes inconsistent during write operations. This memory corruption primitive can be leveraged to overwrite adjacent memory regions, potentially hijacking control flow. The issue spans six major release branches spanning from MongoDB 5.0 (released July 2021) through the current 8.3 development series, indicating a longstanding architectural flaw in the time-series bucket management code rather than a recent regression. The CPE string confirms this affects MongoDB Server specifically, not community forks or downstream distributions.

RemediationAI

Upgrade to patched MongoDB Server versions: 5.0.33, 6.0.28, 7.0.34, 8.0.23, 8.2.9, or 8.3.2 or later as appropriate for your deployment branch. Vendor-confirmed fix versions are available through MongoDB Download Center and package repositories. Refer to JIRA SERVER-126021 for official upgrade guidance and release notes. Organizations unable to immediately patch should implement compensating controls: (1) Restrict database write privileges to only essential application service accounts using MongoDB role-based access control (use roles like read or readWrite instead of dbOwner or root where possible); (2) Deploy network segmentation to limit MongoDB access to trusted application tiers only, blocking direct database access from user networks; (3) Enable MongoDB audit logging to monitor anomalous write patterns to time-series collections; (4) If time-series collections are not operationally required, consider migrating data to standard collections until patching is complete (trade-off: loss of storage optimization and query performance benefits specific to temporal data). Note that disabling time-series features entirely requires data migration and application code changes, making rapid patching the preferred remediation path for production systems.

CVE-2026-4148 HIGH
8.7 Mar 17

MongoDB Server sharded clusters are vulnerable to use-after-free memory corruption when authenticated users with read pe

CVE-2026-9740 HIGH
8.7 Jun 09

Remote unauthenticated denial-of-service in MongoDB Server's BSON validation layer allows attackers to crash the mongod

CVE-2026-9742 HIGH
8.2 Jun 09

Pre-authentication denial-of-service in MongoDB Server allows unauthenticated remote clients to crash the database proce

CVE-2026-8336 HIGH
7.7 May 13

Authenticated users can crash MongoDB Server by chaining specific server-side JavaScript operations ($_internalJsEmit or

CVE-2026-9753 HIGH
7.2 Jun 09

Memory disclosure and denial-of-service in MongoDB Server allows any authenticated user with aggregate command privilege

CVE-2026-9750 HIGH
7.1 Jun 09

MongoDB Server exposes an availability and data integrity risk allowing any low-privileged authenticated user to crash t

CVE-2026-9748 HIGH
7.1 Jun 09

Remote denial-of-service in MongoDB Server allows an authenticated user to crash the mongod process by submitting an agg

CVE-2026-9752 HIGH
7.1 Jun 09

Denial of service in MongoDB Server allows an authenticated user to crash the database process by issuing a geospatial q

CVE-2026-9743 HIGH
7.1 Jun 09

Denial of service in MongoDB Server 8.0 allows authenticated users with aggregation pipeline privileges to crash the ser

CVE-2026-9749 HIGH
7.1 Jun 09

Denial of service in MongoDB Server allows authenticated users to trigger an assertion failure by running aggregation pi

CVE-2026-9747 HIGH
7.1 Jun 09

Denial of service in MongoDB Server allows authenticated remote attackers to crash the database process by submitting ag

CVE-2026-9746 HIGH
7.1 Jun 09

Denial of service in MongoDB Server occurs when an authenticated user issues a $changeStreams aggregation combined with

Share

CVE-2026-8053 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy