Skip to main content

MongoDB Server CVE-2026-9743

| EUVDEUVD-2026-35861 HIGH
NULL Pointer Dereference (CWE-476)
2026-06-09 mongodb GHSA-cmc7-vq67-x4pm
7.1
CVSS 4.0 · Vendor: mongodb
Share

Severity by source

Vendor (mongodb) PRIMARY
7.1 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from Vendor (mongodb) · only source for this CVE.

CVSS VectorVendor: mongodb

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

7
Patch available
Jun 10, 2026 - 02:01 EUVD
Analysis Updated
Jun 09, 2026 - 23:36 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 09, 2026 - 23:36 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 09, 2026 - 23:22 vuln.today
cvss_changed
Severity Changed
Jun 09, 2026 - 23:22 NVD
MEDIUM HIGH
CVSS changed
Jun 09, 2026 - 23:22 NVD
6.5 (MEDIUM) 7.1 (HIGH)
Analysis Generated
Jun 09, 2026 - 22:48 vuln.today

DescriptionCVE.org

In MongoDB Server 8.0, an aggregation stage can leave its _subPipeline field null during processing of certain pipelines. If a getMore is subsequently issued on the same cursor, the server may dereference this null sub-pipeline when reattaching to the operation context, accessing an invalid address and crashing the process. This issue allows an authenticated user who can run aggregation pipelines to cause a denial of service by issuing a specially crafted aggregation followed by getMore on affected versions.

AnalysisAI

Denial of service in MongoDB Server 8.0 allows authenticated users with aggregation pipeline privileges to crash the server process by issuing a specially crafted aggregation followed by a getMore command on the same cursor, triggering a null pointer dereference in the aggregation stage's _subPipeline field. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV, but the low attack complexity and minimal privilege requirement make it a credible availability threat for multi-tenant or shared MongoDB deployments.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate to MongoDB 8.0
Delivery
Issue crafted aggregation pipeline
Exploit
Leave _subPipeline field null
Execution
Send getMore on returned cursor
Persist
Server dereferences null pointer
Impact
mongod process crashes (DoS)

Vulnerability AssessmentAI

Exploitation Attacker must hold valid MongoDB credentials with privileges to execute aggregation pipelines (typically the built-in read role or any role granting the 'find'/aggregate action on a target collection) against MongoDB Server 8.0. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 vector AV:N/AC:L/AT:N/PR:L/UI:N with VA:H (high availability impact, no confidentiality/integrity impact) accurately reflects a network-reachable, low-complexity, low-privilege DoS bug - yielding a 7.1 base score. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An authenticated user - for example, a low-privileged analytics account in a shared MongoDB cluster or a tenant in a managed-MongoDB service - connects to the server and issues a specially crafted aggregation pipeline that leaves an internal _subPipeline field null. They then call getMore against the returned cursor, the server dereferences the null pointer while reattaching the operation context, and the mongod process crashes, taking the primary offline until the replica set fails over or the process restarts. …
Remediation Patch available per vendor advisory - consult MongoDB SERVER-123688 at https://jira.mongodb.org/browse/SERVER-123688 for the exact 8.0.x fixed build and upgrade to that release. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all MongoDB Server 8.0 deployments and audit current aggregation pipeline privilege assignments across user and application accounts. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-8053 HIGH
8.7 May 12

Out-of-bounds memory write in MongoDB Server's time-series collection feature enables arbitrary code execution by authen

CVE-2026-4148 HIGH
8.7 Mar 17

MongoDB Server sharded clusters are vulnerable to use-after-free memory corruption when authenticated users with read pe

CVE-2026-9740 HIGH
8.7 Jun 09

Remote unauthenticated denial-of-service in MongoDB Server's BSON validation layer allows attackers to crash the mongod

CVE-2026-9742 HIGH
8.2 Jun 09

Pre-authentication denial-of-service in MongoDB Server allows unauthenticated remote clients to crash the database proce

CVE-2026-8336 HIGH
7.7 May 13

Authenticated users can crash MongoDB Server by chaining specific server-side JavaScript operations ($_internalJsEmit or

CVE-2026-9753 HIGH
7.2 Jun 09

Memory disclosure and denial-of-service in MongoDB Server allows any authenticated user with aggregate command privilege

CVE-2026-9750 HIGH
7.1 Jun 09

MongoDB Server exposes an availability and data integrity risk allowing any low-privileged authenticated user to crash t

CVE-2026-9748 HIGH
7.1 Jun 09

Remote denial-of-service in MongoDB Server allows an authenticated user to crash the mongod process by submitting an agg

CVE-2026-9752 HIGH
7.1 Jun 09

Denial of service in MongoDB Server allows an authenticated user to crash the database process by issuing a geospatial q

CVE-2026-9749 HIGH
7.1 Jun 09

Denial of service in MongoDB Server allows authenticated users to trigger an assertion failure by running aggregation pi

CVE-2026-9747 HIGH
7.1 Jun 09

Denial of service in MongoDB Server allows authenticated remote attackers to crash the database process by submitting ag

CVE-2026-9746 HIGH
7.1 Jun 09

Denial of service in MongoDB Server occurs when an authenticated user issues a $changeStreams aggregation combined with

Share

CVE-2026-9743 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy