Skip to main content

MongoDB Server CVE-2026-9748

| EUVDEUVD-2026-35864 HIGH
Reachable Assertion (CWE-617)
2026-06-09 mongodb GHSA-7r4j-g3f5-3629
7.1
CVSS 4.0 · Vendor: mongodb
Share

Severity by source

Vendor (mongodb) PRIMARY
7.1 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from Vendor (mongodb) · only source for this CVE.

CVSS VectorVendor: mongodb

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

7
Patch available
Jun 10, 2026 - 02:01 EUVD
Analysis Updated
Jun 09, 2026 - 23:33 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 09, 2026 - 23:33 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 09, 2026 - 23:22 vuln.today
cvss_changed
Severity Changed
Jun 09, 2026 - 23:22 NVD
MEDIUM HIGH
CVSS changed
Jun 09, 2026 - 23:22 NVD
6.5 (MEDIUM) 7.1 (HIGH)
Analysis Generated
Jun 09, 2026 - 22:50 vuln.today

DescriptionCVE.org

The $_internalConvertBucketIndexStats stage used PauseExecution as a way to signal "skip this document" when an index stats conversion failed. But PauseExecution is not a general purpose skip mechanism, but rather a TeeBuffer-internal signal used solely by $facet to coordinate its sub-pipelines. When this stage is placed before $facet in a pipeline, TeeBuffer receives the unexpected PauseExecution from upstream and hits a hard invariant assertion, crashing mongod.

AnalysisAI

Remote denial-of-service in MongoDB Server allows an authenticated user to crash the mongod process by submitting an aggregation pipeline that places the $_internalConvertBucketIndexStats stage upstream of a $facet stage. The misuse of the internal PauseExecution signal trips a hard invariant assertion in TeeBuffer, terminating the database process. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain authenticated MongoDB session
Delivery
Craft aggregation with $_internalConvertBucketIndexStats before $facet
Exploit
Submit pipeline to target collection
Execution
Internal PauseExecution signal reaches TeeBuffer
Persist
Invariant assertion fires in mongod
Impact
Process crashes causing denial of service

Vulnerability AssessmentAI

Exploitation Exploitation requires authenticated access to a MongoDB instance with privileges to run aggregation pipelines on at least one collection (CVSS PR:L), and the attacker must be able to construct a pipeline that places the $_internalConvertBucketIndexStats stage before a $facet stage - this stage is associated with time-series index statistics conversion, so its availability and behavior depend on the server build. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 vector AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H accurately characterizes this as a network-reachable, low-complexity, authenticated availability-only issue - no data confidentiality or integrity exposure, but a single malformed aggregation crashes the server process. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with a low-privileged authenticated MongoDB session (for example, a compromised application account or a tenant in a shared cluster) sends an aggregation pipeline that begins with $_internalConvertBucketIndexStats and then chains into a $facet stage. The first stage emits the internal PauseExecution signal on a failed conversion, TeeBuffer inside $facet receives a signal it does not expect from an upstream source, the invariant fires, and mongod aborts - repeated submissions keep the node down and can destabilize the replica set.
Remediation Patch status not confirmed from available data - consult the MongoDB advisory at https://jira.mongodb.org/browse/SERVER-123951 for the fixed release train and apply the corresponding upgrade once published. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: audit all database users with aggregation pipeline permissions and review authentication logs for suspicious activity. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-8053 HIGH
8.7 May 12

Out-of-bounds memory write in MongoDB Server's time-series collection feature enables arbitrary code execution by authen

CVE-2026-4148 HIGH
8.7 Mar 17

MongoDB Server sharded clusters are vulnerable to use-after-free memory corruption when authenticated users with read pe

CVE-2026-9740 HIGH
8.7 Jun 09

Remote unauthenticated denial-of-service in MongoDB Server's BSON validation layer allows attackers to crash the mongod

CVE-2026-9742 HIGH
8.2 Jun 09

Pre-authentication denial-of-service in MongoDB Server allows unauthenticated remote clients to crash the database proce

CVE-2026-8336 HIGH
7.7 May 13

Authenticated users can crash MongoDB Server by chaining specific server-side JavaScript operations ($_internalJsEmit or

CVE-2026-9753 HIGH
7.2 Jun 09

Memory disclosure and denial-of-service in MongoDB Server allows any authenticated user with aggregate command privilege

CVE-2026-9750 HIGH
7.1 Jun 09

MongoDB Server exposes an availability and data integrity risk allowing any low-privileged authenticated user to crash t

CVE-2026-9752 HIGH
7.1 Jun 09

Denial of service in MongoDB Server allows an authenticated user to crash the database process by issuing a geospatial q

CVE-2026-9743 HIGH
7.1 Jun 09

Denial of service in MongoDB Server 8.0 allows authenticated users with aggregation pipeline privileges to crash the ser

CVE-2026-9749 HIGH
7.1 Jun 09

Denial of service in MongoDB Server allows authenticated users to trigger an assertion failure by running aggregation pi

CVE-2026-9747 HIGH
7.1 Jun 09

Denial of service in MongoDB Server allows authenticated remote attackers to crash the database process by submitting ag

CVE-2026-9746 HIGH
7.1 Jun 09

Denial of service in MongoDB Server occurs when an authenticated user issues a $changeStreams aggregation combined with

Share

CVE-2026-9748 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy