Which versions of MongoDB Server are affected by CVE-2026-8336?

MongoDB Server versions 7.0 through 8.3 contain a use-after-free vulnerability in JavaScript execution that allows authenticated database users to crash the database service, potentially disrupting…. A patch is available.

MongoDB Server CVE-2026-8336

Q: What is the CVSS score of CVE-2026-8336?

CVE-2026-8336 has a CVSS 4.0 base score of 7.7 (High). CVSS vector: CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:A/V:D/RE:M/U:Red. EPSS exploitation probability: 0.1%.

EUVD-2026-29893 HIGH

Use After Free (CWE-416)

2026-05-13 mongodb

GHSA-5f8r-h2c3-xvqc

Denial Of Service Use After Free Memory Corruption

7.7

CVSS 4.0

CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:A/V:D/RE:M/U:Red

Attack Vector

Network

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Lifecycle Timeline

Analysis Updated

May 13, 2026 - 16:01 vuln.today

v2 (cvss_changed)

Re-analysis Queued

May 13, 2026 - 15:52 vuln.today

cvss_changed

CVSS changed

May 13, 2026 - 15:52 NVD

7.5 (HIGH) 7.7 (HIGH)

Patch available

May 13, 2026 - 01:17 EUVD

Analysis Generated

May 13, 2026 - 01:16 vuln.today

CVE Published

May 13, 2026 - 00:16 nvd

HIGH 7.5

DescriptionNVD

After invoking $_internalJsEmit, which is not intended to be directly accessible, or mapreduce command’s map function in a certain way, an authenticated user can subsequently crash mongod when the server-side JavaScript engine (through $where, $function, mapreduce reduce stage, etc.) is used also in a specific way, resulting in a post-authentication denial-of-service.

This issue impacts MongoDB Server v7.0 versions prior to 7.0.34, v8.0 versions prior to 8.0.23, v8.2 versions prior to 8.2.9 and v8.3 versions prior to 8.3.2.

AnalysisAI

Authenticated users can crash MongoDB Server by chaining specific server-side JavaScript operations ($_internalJsEmit or mapreduce map functions) with subsequent JavaScript engine invocations ($where, $function, mapreduce reduce stages), triggering a use-after-free condition. Affects MongoDB Server 7.0 (prior to 7.0.34), 8.0 (prior to 8.0.23), 8.2 (prior to 8.2.9), and 8.3 (prior to 8.3.2). …

RemediationAI

Within 24 hours: Identify all MongoDB Server instances running versions 7.0.x, 8.0.x, 8.2.x, or 8.3.x in production and non-production environments. Within 7 days: Apply vendor patches (7.0.34 or later, 8.0.23 or later, 8.2.9 or later, 8.3.2 or later) to development and test environments; validate application compatibility. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-8336 vulnerability details – vuln.today

Back

MongoDB Server CVE-2026-8336

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Analysis

Full analysis requires sign-in

Share

MongoDB Server CVE-2026-8336

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code