Skip to main content

MongoDB Server EUVDEUVD-2026-30777

| CVE-2026-8843 HIGH
Reachable Assertion (CWE-617)
2026-05-18 mongodb GHSA-v7q4-vccc-3jxg
7.1
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

4
Analysis Generated
May 18, 2026 - 17:32 vuln.today
Severity Changed
May 18, 2026 - 17:22 NVD
MEDIUM HIGH
CVSS changed
May 18, 2026 - 17:22 NVD
6.5 (MEDIUM) 7.1 (HIGH)
Patch available
May 18, 2026 - 17:01 EUVD

DescriptionCVE.org

Creating a "2dsphere_bucket" index on a non-timeseries bucket collection will succeed, but any subsequent attempt to insert a document which triggers updating that index will crash the server. A similar issue occurs when creating "queryable_encrypted_range" indices.

This issue affects MongoDB Server v7.0 versions prior to 7.0.32, v8.0 versions prior to 8.0.21 and v8.2 versions prior to 8.2.6

AnalysisAI

Denial of service in MongoDB Server 7.0, 8.0, and 8.2 allows authenticated remote attackers to crash the database by inserting documents that trigger updates to a maliciously created '2dsphere_bucket' or 'queryable_encrypted_range' index on a non-timeseries bucket collection. The flaw stems from a reachable assertion (CWE-617) and is reported by MongoDB itself with a vendor patch available; no public exploit identified at time of analysis.

Technical ContextAI

The vulnerability lives in MongoDB Server's index creation logic, where specialty index types intended for specific collection structures ('2dsphere_bucket' for timeseries bucket collections and 'queryable_encrypted_range' for Queryable Encryption) can be created on incompatible non-timeseries bucket collections without proper validation. CWE-617 (Reachable Assertion) indicates the server reaches an internal sanity check that should never fire under valid operation, then aborts the entire mongod process when a subsequent document insert forces the index to update. The CPE entry cpe:2.3:a:mongodb,_inc.:mongodb_server confirms the server daemon itself is the affected component, not drivers or client tooling.

RemediationAI

Vendor-released patch: upgrade MongoDB Server to 7.0.32, 8.0.21, or 8.2.6 (or any later release on the same train), as specified by MongoDB in SERVER-116327 (https://jira.mongodb.org/browse/SERVER-116327). Until the upgrade window, restrict the createIndex privilege to trusted administrative roles only - revoke it from application service accounts that do not legitimately need to create indexes at runtime - which prevents the specific trigger but breaks any application that performs ensureIndex on startup. As a narrower compensating control, audit and block creation of '2dsphere_bucket' and 'queryable_encrypted_range' index types on non-timeseries, non-queryable-encrypted collections via an auditing/proxy layer, accepting that this requires custom tooling since MongoDB has no native index-type allowlist.

CVE-2026-8053 HIGH
8.7 May 12

Out-of-bounds memory write in MongoDB Server's time-series collection feature enables arbitrary code execution by authen

CVE-2026-4148 HIGH
8.7 Mar 17

MongoDB Server sharded clusters are vulnerable to use-after-free memory corruption when authenticated users with read pe

CVE-2026-9740 HIGH
8.7 Jun 09

Remote unauthenticated denial-of-service in MongoDB Server's BSON validation layer allows attackers to crash the mongod

CVE-2026-9742 HIGH
8.2 Jun 09

Pre-authentication denial-of-service in MongoDB Server allows unauthenticated remote clients to crash the database proce

CVE-2026-8336 HIGH
7.7 May 13

Authenticated users can crash MongoDB Server by chaining specific server-side JavaScript operations ($_internalJsEmit or

CVE-2026-9753 HIGH
7.2 Jun 09

Memory disclosure and denial-of-service in MongoDB Server allows any authenticated user with aggregate command privilege

CVE-2026-9750 HIGH
7.1 Jun 09

MongoDB Server exposes an availability and data integrity risk allowing any low-privileged authenticated user to crash t

CVE-2026-9748 HIGH
7.1 Jun 09

Remote denial-of-service in MongoDB Server allows an authenticated user to crash the mongod process by submitting an agg

CVE-2026-9752 HIGH
7.1 Jun 09

Denial of service in MongoDB Server allows an authenticated user to crash the database process by issuing a geospatial q

CVE-2026-9743 HIGH
7.1 Jun 09

Denial of service in MongoDB Server 8.0 allows authenticated users with aggregation pipeline privileges to crash the ser

CVE-2026-9749 HIGH
7.1 Jun 09

Denial of service in MongoDB Server allows authenticated users to trigger an assertion failure by running aggregation pi

CVE-2026-9747 HIGH
7.1 Jun 09

Denial of service in MongoDB Server allows authenticated remote attackers to crash the database process by submitting ag

Share

EUVD-2026-30777 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy