Skip to main content

MongoDB Server CVE-2026-9750

| EUVDEUVD-2026-35866 HIGH
Reachable Assertion (CWE-617)
2026-06-09 mongodb GHSA-qh22-j9ch-4x4c
7.1
CVSS 4.0 · Vendor: mongodb
Share

Severity by source

Vendor (mongodb) PRIMARY
7.1 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from Vendor (mongodb) · only source for this CVE.

CVSS VectorVendor: mongodb

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

4
Patch available
Jun 10, 2026 - 02:01 EUVD
Analysis Generated
Jun 09, 2026 - 23:23 vuln.today
Severity Changed
Jun 09, 2026 - 23:22 NVD
MEDIUM HIGH
CVSS changed
Jun 09, 2026 - 23:22 NVD
6.5 (MEDIUM) 7.1 (HIGH)

DescriptionCVE.org

An authenticated user can cause a MongoDB server to crash or return incorrect results by creating documents that interfere with internal metadata processing during query execution. This stems from insufficient separation between user-controlled document fields and internal metadata in certain execution paths.

AnalysisAI

MongoDB Server exposes an availability and data integrity risk allowing any low-privileged authenticated user to crash the mongod process or obtain incorrect query results by inserting specially crafted documents. The root cause - insufficient separation between user-controlled document fields and internal execution metadata (CWE-617: Reachable Assertion) - means the attack surface is the normal document write workflow, requiring no elevated roles. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Obtain low-privilege MongoDB credentials
Delivery
Authenticate to MongoDB server over network
Exploit
Craft document with metadata-interfering field structure
Install
Insert malicious document into target collection
C2
Trigger query execution against collection
Execute
Cause mongod assertion failure
Impact
Server crash or incorrect query results returned

Vulnerability AssessmentAI

Exploitation The attacker must possess a valid MongoDB account with at minimum INSERT (write) privileges on at least one collection in the target database - CVSS PR:L confirms that low-privilege authentication is the entry bar, and unauthenticated external attackers cannot exploit this vulnerability. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS vector (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) indicates a moderate but practically significant risk: network-accessible, low attack complexity, requiring only low-privilege credentials (PR:L), with full availability impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has obtained low-privilege MongoDB credentials - for example, through a credential leak from an application configuration file - authenticates to the MongoDB server over the network and inserts a crafted document whose field names or structure collide with internal query execution metadata. When a subsequent query is executed against the collection containing that document, the server's internal assertion triggers, causing the mongod process to crash and denying database service to all connected application clients until the process is restarted.
Remediation No vendor-released patch version has been confirmed from available data - the sole reference is the MongoDB JIRA ticket SERVER-123633 at https://jira.mongodb.org/browse/SERVER-123633, which should be monitored for a fix-version announcement. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Audit MongoDB user accounts and restrict write privileges to only essential application identities; enable operation logging. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-8053 HIGH
8.7 May 12

Out-of-bounds memory write in MongoDB Server's time-series collection feature enables arbitrary code execution by authen

CVE-2026-4148 HIGH
8.7 Mar 17

MongoDB Server sharded clusters are vulnerable to use-after-free memory corruption when authenticated users with read pe

CVE-2026-9740 HIGH
8.7 Jun 09

Remote unauthenticated denial-of-service in MongoDB Server's BSON validation layer allows attackers to crash the mongod

CVE-2026-9742 HIGH
8.2 Jun 09

Pre-authentication denial-of-service in MongoDB Server allows unauthenticated remote clients to crash the database proce

CVE-2026-8336 HIGH
7.7 May 13

Authenticated users can crash MongoDB Server by chaining specific server-side JavaScript operations ($_internalJsEmit or

CVE-2026-9753 HIGH
7.2 Jun 09

Memory disclosure and denial-of-service in MongoDB Server allows any authenticated user with aggregate command privilege

CVE-2026-9748 HIGH
7.1 Jun 09

Remote denial-of-service in MongoDB Server allows an authenticated user to crash the mongod process by submitting an agg

CVE-2026-9752 HIGH
7.1 Jun 09

Denial of service in MongoDB Server allows an authenticated user to crash the database process by issuing a geospatial q

CVE-2026-9743 HIGH
7.1 Jun 09

Denial of service in MongoDB Server 8.0 allows authenticated users with aggregation pipeline privileges to crash the ser

CVE-2026-9749 HIGH
7.1 Jun 09

Denial of service in MongoDB Server allows authenticated users to trigger an assertion failure by running aggregation pi

CVE-2026-9747 HIGH
7.1 Jun 09

Denial of service in MongoDB Server allows authenticated remote attackers to crash the database process by submitting ag

CVE-2026-9746 HIGH
7.1 Jun 09

Denial of service in MongoDB Server occurs when an authenticated user issues a $changeStreams aggregation combined with

Share

CVE-2026-9750 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy