Which versions of MongoDB Server are affected by CVE-2026-8843?

MongoDB Server versions 7.0, 8.0, and 8.2 contain a high-severity denial-of-service vulnerability that allows authenticated users to crash the database through specially crafted document insertions.. A patch is available.

MongoDB Server CVE-2026-8843

Q: What is the CVSS score of CVE-2026-8843?

CVE-2026-8843 has a CVSS 4.0 base score of 7.1 (High). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

EUVD-2026-30777 HIGH

Reachable Assertion (CWE-617)

2026-05-18 mongodb

GHSA-v7q4-vccc-3jxg

Denial Of Service

7.1

CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Lifecycle Timeline

Analysis Generated

May 18, 2026 - 17:32 vuln.today

Severity Changed

May 18, 2026 - 17:22 NVD

MEDIUM HIGH

CVSS changed

May 18, 2026 - 17:22 NVD

6.5 (MEDIUM) 7.1 (HIGH)

Patch available

May 18, 2026 - 17:01 EUVD

DescriptionNVD

Creating a "2dsphere_bucket" index on a non-timeseries bucket collection will succeed, but any subsequent attempt to insert a document which triggers updating that index will crash the server. A similar issue occurs when creating "queryable_encrypted_range" indices.

This issue affects MongoDB Server v7.0 versions prior to 7.0.32, v8.0 versions prior to 8.0.21 and v8.2 versions prior to 8.2.6

AnalysisAI

Denial of service in MongoDB Server 7.0, 8.0, and 8.2 allows authenticated remote attackers to crash the database by inserting documents that trigger updates to a maliciously created '2dsphere_bucket' or 'queryable_encrypted_range' index on a non-timeseries bucket collection. The flaw stems from a reachable assertion (CWE-617) and is reported by MongoDB itself with a vendor patch available; no public exploit identified at time of analysis.

RemediationAI

Within 24 hours: inventory all MongoDB Server instances (versions 7.0, 8.0, 8.2) and document user access levels. Within 7 days: apply the vendor-released security patch to all affected instances; alternatively, restrict database access to essential applications only if patching cannot be completed immediately. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-8843 vulnerability details – vuln.today

Back

MongoDB Server CVE-2026-8843

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Analysis

Full analysis requires sign-in

Share

MongoDB Server CVE-2026-8843

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code