Skip to main content

MongoDB Server EUVDEUVD-2026-29894

| CVE-2026-8202 MEDIUM
Allocation of Resources Without Limits or Throttling (CWE-770)
2026-05-13 mongodb GHSA-p4m7-wm4c-77hf
5.3
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

4
CVSS changed
May 13, 2026 - 15:52 NVD
4.3 (MEDIUM) 5.3 (MEDIUM)
Patch available
May 13, 2026 - 02:01 EUVD
Analysis Generated
May 13, 2026 - 02:00 vuln.today
CVE Published
May 13, 2026 - 00:19 nvd
MEDIUM 4.3

DescriptionCVE.org

Using a densely populated chars mask and a large input string in the MongoDB aggregation operators $trim, $ltrim, and $rtrim, an authenticated user with aggregation permissions can pin CPU utilization at 100% for an extended period of time.

This issue impacts MongoDB Server v7.0 versions prior to 7.0.34, v8.0 versions prior to 8.0.23, v8.2 versions prior to 8.2.9 and v8.3 versions prior to 8.3.2.

AnalysisAI

Denial of service in MongoDB Server v7.0 through v8.3 allows authenticated users with aggregation permissions to exhaust CPU resources via densely populated character masks in $trim, $ltrim, and $rtrim aggregation operators. An attacker can pin CPU utilization at 100% for extended periods by crafting malicious aggregation queries with large input strings and computationally expensive mask patterns. No public exploit code or active exploitation has been reported at time of analysis.

Technical ContextAI

The vulnerability resides in MongoDB's aggregation pipeline operators $trim, $ltrim, and $rtrim, which are used to remove characters from strings. These operators accept a character mask (chars parameter) that specifies which characters to trim. The underlying implementation appears to use inefficient algorithms when processing densely populated character masks against large input strings, causing excessive CPU iterations without proper bounds checking or algorithmic optimization. This is classified as CWE-770 (Allocation of Resources Without Limits or Throttling), indicating the operators fail to constrain computational resource consumption proportional to input size. The vulnerability requires network access (AV:N) and only medium attack complexity (AC:L), but mandates authentication (PR:L) and aggregation permissions, limiting the attack surface to authorized database users.

RemediationAI

Upgrade to patched versions: MongoDB Server 7.0.34 or later, 8.0.23 or later, 8.2.9 or later, or 8.3.2 or later. Consult MongoDB's official release notes at https://jira.mongodb.org/browse/SERVER-120668 for detailed upgrade instructions specific to your version branch. As a temporary mitigation for deployments that cannot immediately patch, restrict aggregation pipeline permissions via role-based access control (RBAC) to only trusted users, or disable the $trim, $ltrim, and $rtrim operators if they are not actively used in production queries. Note that restricting aggregation permissions may impact application functionality if legitimate aggregation pipelines depend on these operators; test thoroughly in staging before deploying production restrictions.

CVE-2026-8053 HIGH
8.7 May 12

Out-of-bounds memory write in MongoDB Server's time-series collection feature enables arbitrary code execution by authen

CVE-2026-4148 HIGH
8.7 Mar 17

MongoDB Server sharded clusters are vulnerable to use-after-free memory corruption when authenticated users with read pe

CVE-2026-9740 HIGH
8.7 Jun 09

Remote unauthenticated denial-of-service in MongoDB Server's BSON validation layer allows attackers to crash the mongod

CVE-2026-9742 HIGH
8.2 Jun 09

Pre-authentication denial-of-service in MongoDB Server allows unauthenticated remote clients to crash the database proce

CVE-2026-8336 HIGH
7.7 May 13

Authenticated users can crash MongoDB Server by chaining specific server-side JavaScript operations ($_internalJsEmit or

CVE-2026-9753 HIGH
7.2 Jun 09

Memory disclosure and denial-of-service in MongoDB Server allows any authenticated user with aggregate command privilege

CVE-2026-9750 HIGH
7.1 Jun 09

MongoDB Server exposes an availability and data integrity risk allowing any low-privileged authenticated user to crash t

CVE-2026-9748 HIGH
7.1 Jun 09

Remote denial-of-service in MongoDB Server allows an authenticated user to crash the mongod process by submitting an agg

CVE-2026-9752 HIGH
7.1 Jun 09

Denial of service in MongoDB Server allows an authenticated user to crash the database process by issuing a geospatial q

CVE-2026-9743 HIGH
7.1 Jun 09

Denial of service in MongoDB Server 8.0 allows authenticated users with aggregation pipeline privileges to crash the ser

CVE-2026-9749 HIGH
7.1 Jun 09

Denial of service in MongoDB Server allows authenticated users to trigger an assertion failure by running aggregation pi

CVE-2026-9747 HIGH
7.1 Jun 09

Denial of service in MongoDB Server allows authenticated remote attackers to crash the database process by submitting ag

Share

EUVD-2026-29894 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy