Skip to main content

MongoDB Server CVE-2026-8336

| EUVDEUVD-2026-29893 HIGH
Use After Free (CWE-416)
2026-05-13 mongodb GHSA-5f8r-h2c3-xvqc
7.7
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
7.7 HIGH
CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:A/V:D/RE:M/U:Red

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:A/V:D/RE:M/U:Red
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

6
Analysis Updated
May 13, 2026 - 16:01 vuln.today
v2 (cvss_changed)
Re-analysis Queued
May 13, 2026 - 15:52 vuln.today
cvss_changed
CVSS changed
May 13, 2026 - 15:52 NVD
7.5 (HIGH) 7.7 (HIGH)
Patch available
May 13, 2026 - 01:17 EUVD
Analysis Generated
May 13, 2026 - 01:16 vuln.today
CVE Published
May 13, 2026 - 00:16 nvd
HIGH 7.5

DescriptionCVE.org

After invoking $_internalJsEmit, which is not intended to be directly accessible, or mapreduce command’s map function in a certain way, an authenticated user can subsequently crash mongod when the server-side JavaScript engine (through $where, $function, mapreduce reduce stage, etc.) is used also in a specific way, resulting in a post-authentication denial-of-service.

This issue impacts MongoDB Server v7.0 versions prior to 7.0.34, v8.0 versions prior to 8.0.23, v8.2 versions prior to 8.2.9 and v8.3 versions prior to 8.3.2.

AnalysisAI

Authenticated users can crash MongoDB Server by chaining specific server-side JavaScript operations ($_internalJsEmit or mapreduce map functions) with subsequent JavaScript engine invocations ($where, $function, mapreduce reduce stages), triggering a use-after-free condition. Affects MongoDB Server 7.0 (prior to 7.0.34), 8.0 (prior to 8.0.23), 8.2 (prior to 8.2.9), and 8.3 (prior to 8.3.2). Vendor-released patches available for all affected branches. No public exploit identified at time of analysis; EPSS score of 0.05% (16th percentile) suggests low observed exploitation probability despite 7.7 CVSS score. The CWE-416 use-after-free root cause requires precise sequencing of JavaScript operations, limiting exploitability.

Technical ContextAI

This vulnerability involves MongoDB's server-side JavaScript execution engine, which enables operations like $where queries, $function aggregation expressions, and mapreduce commands. The issue stems from a use-after-free memory corruption (CWE-416) triggered when $_internalJsEmit (an internal function not intended for direct user access) or mapreduce map functions are invoked in a specific manner, followed by subsequent JavaScript engine operations. Use-after-free vulnerabilities occur when code references memory after it has been freed, leading to unpredictable behavior including crashes or potential code execution. MongoDB's JavaScript engine shares runtime state across operations, making proper memory lifecycle management critical. The CPE string (cpe:2.3:a:mongodb,_inc.:mongodb_server:*:*:*:*:*:*:*:*) confirms this affects the core MongoDB Server product across four major version branches (7.0, 8.0, 8.2, 8.3), indicating the vulnerability exists in shared JavaScript engine code spanning multiple releases.

RemediationAI

Upgrade to MongoDB Server 7.0.34, 8.0.23, 8.2.9, or 8.3.2 respectively based on your current version branch. MongoDB has released patches for all affected versions as documented in Jira issue SERVER-121610 (https://jira.mongodb.org/browse/SERVER-121610). For environments where immediate patching is not feasible, disable server-side JavaScript execution as a compensating control by setting security.javascriptEnabled to false in mongod.conf, though this breaks legitimate functionality including $where queries, $function aggregation expressions, and mapreduce operations - assess application dependencies before implementing. Alternatively, restrict database user privileges to prevent access to mapreduce commands and $_internalJsEmit functions through role-based access control (RBAC), limiting the attack surface to only users requiring JavaScript operations. Monitor MongoDB logs for unusual JavaScript operation patterns or repeated mongod crashes as potential exploitation indicators. Note that disabling JavaScript has significant functional impact and should be temporary until patching completes.

CVE-2026-8053 HIGH
8.7 May 12

Out-of-bounds memory write in MongoDB Server's time-series collection feature enables arbitrary code execution by authen

CVE-2026-4148 HIGH
8.7 Mar 17

MongoDB Server sharded clusters are vulnerable to use-after-free memory corruption when authenticated users with read pe

CVE-2026-9740 HIGH
8.7 Jun 09

Remote unauthenticated denial-of-service in MongoDB Server's BSON validation layer allows attackers to crash the mongod

CVE-2026-9742 HIGH
8.2 Jun 09

Pre-authentication denial-of-service in MongoDB Server allows unauthenticated remote clients to crash the database proce

CVE-2026-9753 HIGH
7.2 Jun 09

Memory disclosure and denial-of-service in MongoDB Server allows any authenticated user with aggregate command privilege

CVE-2026-9750 HIGH
7.1 Jun 09

MongoDB Server exposes an availability and data integrity risk allowing any low-privileged authenticated user to crash t

CVE-2026-9748 HIGH
7.1 Jun 09

Remote denial-of-service in MongoDB Server allows an authenticated user to crash the mongod process by submitting an agg

CVE-2026-9752 HIGH
7.1 Jun 09

Denial of service in MongoDB Server allows an authenticated user to crash the database process by issuing a geospatial q

CVE-2026-9743 HIGH
7.1 Jun 09

Denial of service in MongoDB Server 8.0 allows authenticated users with aggregation pipeline privileges to crash the ser

CVE-2026-9749 HIGH
7.1 Jun 09

Denial of service in MongoDB Server allows authenticated users to trigger an assertion failure by running aggregation pi

CVE-2026-9747 HIGH
7.1 Jun 09

Denial of service in MongoDB Server allows authenticated remote attackers to crash the database process by submitting ag

CVE-2026-9746 HIGH
7.1 Jun 09

Denial of service in MongoDB Server occurs when an authenticated user issues a $changeStreams aggregation combined with

Share

CVE-2026-8336 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy