Skip to main content

MongoDB Server CVE-2026-8063

| EUVDEUVD-2026-28326 HIGH
NULL Pointer Dereference (CWE-476)
2026-05-07 mongodb GHSA-v547-m6pg-pf7w
7.1
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

6
Patch available
May 07, 2026 - 07:01 EUVD
Re-analysis Queued
May 07, 2026 - 06:35 vuln.today
cvss_changed
Severity Changed
May 07, 2026 - 06:35 NVD
MEDIUM HIGH
CVSS changed
May 07, 2026 - 06:35 NVD
6.5 (MEDIUM) 7.1 (HIGH)
Analysis Generated
May 07, 2026 - 05:45 vuln.today
CVE Published
May 07, 2026 - 04:12 nvd
MEDIUM 6.5

DescriptionCVE.org

An authenticated user can crash mongod when running $rankFusion or $scoreFusion with an empty pipeline on a view.

When resolving a view, the server inspects the aggregation pipeline to determine whether it begins with an Atlas Search stage. For $rankFusion and $scoreFusion, this inspection reads the first element on each stage’s input pipeline array without first verifying that the array is non-empty. Supplying an empty pipeline causes a null pointer dereference and crashes the server.

This issue affects MongoDB Server 8.2 versions prior to 8.2.7.

AnalysisAI

MongoDB Server 8.2 before version 8.2.7 crashes when an authenticated user supplies an empty pipeline to $rankFusion or $scoreFusion aggregation operators on a view. The server fails to validate that the pipeline array is non-empty before accessing its first element during view resolution, resulting in a null pointer dereference that terminates the mongod process. This denial-of-service condition requires database authentication but can be triggered remotely via aggregation queries.

Technical ContextAI

MongoDB's view resolution mechanism inspects aggregation pipelines to detect Atlas Search stages at the beginning of the pipeline. The vulnerable code in the $rankFusion and $scoreFusion stage handlers directly accesses the first element of an input pipeline array (typically via array indexing or pointer dereference) without first checking if the array is non-empty. This is a classic null pointer dereference vulnerability (CWE-476). When a view's aggregation pipeline is empty, the unvalidated array access reads from a null pointer, causing the mongod process to crash. The vulnerability exists in the aggregation pipeline execution layer responsible for resolving views in MongoDB 8.2.x releases.

RemediationAI

Upgrade MongoDB Server to version 8.2.7 or later. This is the vendor-released patch that fixes the null pointer dereference in the $rankFusion and $scoreFusion stage handlers. If immediate upgrade is not feasible, implement network-level access controls to restrict database authentication to trusted application servers and internal administrative users only. Additionally, monitor for aggregation queries using $rankFusion or $scoreFusion operators and alert on empty pipeline parameters as a detective control. Disable or restrict the use of views with $rankFusion and $scoreFusion operators until patching is complete if those features are not critical to operations. Consult MongoDB advisory SERVER-121851 for additional context and rollout timelines.

CVE-2026-8053 HIGH
8.7 May 12

Out-of-bounds memory write in MongoDB Server's time-series collection feature enables arbitrary code execution by authen

CVE-2026-4148 HIGH
8.7 Mar 17

MongoDB Server sharded clusters are vulnerable to use-after-free memory corruption when authenticated users with read pe

CVE-2026-9740 HIGH
8.7 Jun 09

Remote unauthenticated denial-of-service in MongoDB Server's BSON validation layer allows attackers to crash the mongod

CVE-2026-9742 HIGH
8.2 Jun 09

Pre-authentication denial-of-service in MongoDB Server allows unauthenticated remote clients to crash the database proce

CVE-2026-8336 HIGH
7.7 May 13

Authenticated users can crash MongoDB Server by chaining specific server-side JavaScript operations ($_internalJsEmit or

CVE-2026-9753 HIGH
7.2 Jun 09

Memory disclosure and denial-of-service in MongoDB Server allows any authenticated user with aggregate command privilege

CVE-2026-9750 HIGH
7.1 Jun 09

MongoDB Server exposes an availability and data integrity risk allowing any low-privileged authenticated user to crash t

CVE-2026-9748 HIGH
7.1 Jun 09

Remote denial-of-service in MongoDB Server allows an authenticated user to crash the mongod process by submitting an agg

CVE-2026-9752 HIGH
7.1 Jun 09

Denial of service in MongoDB Server allows an authenticated user to crash the database process by issuing a geospatial q

CVE-2026-9743 HIGH
7.1 Jun 09

Denial of service in MongoDB Server 8.0 allows authenticated users with aggregation pipeline privileges to crash the ser

CVE-2026-9749 HIGH
7.1 Jun 09

Denial of service in MongoDB Server allows authenticated users to trigger an assertion failure by running aggregation pi

CVE-2026-9747 HIGH
7.1 Jun 09

Denial of service in MongoDB Server allows authenticated remote attackers to crash the database process by submitting ag

Share

CVE-2026-8063 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy