Is there a patch available for EUVD-2026-28326?

Yes, a patch is available for EUVD-2026-28326. Update the affected software to the latest version immediately.

MongoDB Server EUVD-2026-28326

Q: What is the CVSS score of EUVD-2026-28326?

EUVD-2026-28326 has a CVSS 4.0 base score of 7.1 (High). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

| CVE-2026-8063 HIGH

NULL Pointer Dereference (CWE-476)

2026-05-07 mongodb

GHSA-v547-m6pg-pf7w

Denial Of Service Null Pointer Dereference

7.1

CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Lifecycle Timeline

Patch available

May 07, 2026 - 07:01 EUVD

Re-analysis Queued

May 07, 2026 - 06:35 vuln.today

cvss_changed

Severity Changed

May 07, 2026 - 06:35 NVD

MEDIUM HIGH

CVSS changed

May 07, 2026 - 06:35 NVD

6.5 (MEDIUM) 7.1 (HIGH)

Analysis Generated

May 07, 2026 - 05:45 vuln.today

CVE Published

May 07, 2026 - 04:12 nvd

MEDIUM 6.5

DescriptionNVD

An authenticated user can crash mongod when running $rankFusion or $scoreFusion with an empty pipeline on a view.

When resolving a view, the server inspects the aggregation pipeline to determine whether it begins with an Atlas Search stage. For $rankFusion and $scoreFusion, this inspection reads the first element on each stage’s input pipeline array without first verifying that the array is non-empty. Supplying an empty pipeline causes a null pointer dereference and crashes the server.

This issue affects MongoDB Server 8.2 versions prior to 8.2.7.

AnalysisAI

MongoDB Server 8.2 before version 8.2.7 crashes when an authenticated user supplies an empty pipeline to $rankFusion or $scoreFusion aggregation operators on a view. The server fails to validate that the pipeline array is non-empty before accessing its first element during view resolution, resulting in a null pointer dereference that terminates the mongod process. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

EUVD-2026-28326 vulnerability details – vuln.today

Back

MongoDB Server EUVD-2026-28326

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Analysis

Full analysis requires sign-in

Share

MongoDB Server EUVD-2026-28326

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Full analysis requires sign-in

Share

External POC / Exploit Code