Skip to main content

MongoDB Server CVE-2026-8202

| EUVD-2026-29894 MEDIUM
Allocation of Resources Without Limits or Throttling (CWE-770)
2026-05-13 mongodb GHSA-p4m7-wm4c-77hf
Denial Of Service
5.3
CVSS 4.0
Share

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

4
CVSS changed
May 13, 2026 - 15:52 NVD
4.3 (MEDIUM) 5.3 (MEDIUM)
Patch available
May 13, 2026 - 02:01 EUVD
Analysis Generated
May 13, 2026 - 02:00 vuln.today
CVE Published
May 13, 2026 - 00:19 nvd
MEDIUM 4.3

DescriptionNVD

Using a densely populated chars mask and a large input string in the MongoDB aggregation operators $trim, $ltrim, and $rtrim, an authenticated user with aggregation permissions can pin CPU utilization at 100% for an extended period of time.

This issue impacts MongoDB Server v7.0 versions prior to 7.0.34, v8.0 versions prior to 8.0.23, v8.2 versions prior to 8.2.9 and v8.3 versions prior to 8.3.2.

AnalysisAI

Denial of service in MongoDB Server v7.0 through v8.3 allows authenticated users with aggregation permissions to exhaust CPU resources via densely populated character masks in $trim, $ltrim, and $rtrim aggregation operators. An attacker can pin CPU utilization at 100% for extended periods by crafting malicious aggregation queries with large input strings and computationally expensive mask patterns. …

Sign in for full analysis, threat intelligence, and remediation guidance.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Share

CVE-2026-8202 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy