Skip to main content

MongoDB Server EUVDEUVD-2026-35859

| CVE-2026-9741 HIGH
Cleartext Transmission of Sensitive Information (CWE-319)
2026-06-09 mongodb GHSA-jp8p-fq38-v738
7.1
CVSS 4.0 · Vendor: mongodb
Share

Severity by source

Vendor (mongodb) PRIMARY
7.1 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from Vendor (mongodb) · only source for this CVE.

CVSS VectorVendor: mongodb

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

7
Patch available
Jun 10, 2026 - 02:01 EUVD
Analysis Updated
Jun 09, 2026 - 23:38 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 09, 2026 - 23:38 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 09, 2026 - 23:22 vuln.today
cvss_changed
Severity Changed
Jun 09, 2026 - 23:22 NVD
MEDIUM HIGH
CVSS changed
Jun 09, 2026 - 23:22 NVD
6.5 (MEDIUM) 7.1 (HIGH)
Analysis Generated
Jun 09, 2026 - 22:48 vuln.today

DescriptionCVE.org

A bug in query analysis processing of the $vectorSearch aggregation stage for Queryable Encryption (QE) or Client-Side Field Level Encryption (CSFLE) results in literal values for encrypted fields within the $vectorSearch stage filter expressions to be sent to the server as plaintext instead of ciphertext.

AnalysisAI

Sensitive information disclosure in MongoDB Server affects deployments using Queryable Encryption (QE) or Client-Side Field Level Encryption (CSFLE) when issuing $vectorSearch aggregation queries. Due to a flaw in client-side query analysis, literal values intended for encrypted fields inside $vectorSearch filter expressions are transmitted to the server as plaintext instead of ciphertext, defeating the confidentiality guarantee of client-side encryption. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify MongoDB deployment using QE/CSFLE
Delivery
Gain server-side read access or traffic visibility
Exploit
Application issues $vectorSearch with encrypted field filter
Execution
Client analyzer fails to encrypt literals
Persist
Plaintext values reach server logs/oplog/storage
Impact
Harvest cleartext sensitive field values

Vulnerability AssessmentAI

Exploitation Exploitation requires that the target deployment uses MongoDB Queryable Encryption or Client-Side Field Level Encryption AND that applications issue $vectorSearch aggregation stages whose filter expressions reference encrypted fields with literal values - deployments not using QE/CSFLE, or using QE/CSFLE without $vectorSearch, are not affected. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N) indicates a network-reachable, low-complexity issue requiring an authenticated low-privilege actor and yielding high confidentiality impact with no integrity or availability effect - consistent with an information disclosure that exposes encrypted data values. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An insider with read access to the MongoDB server, a hosting-provider operator, or an attacker who has compromised the database host observes oplog entries, server logs, network captures, or on-disk storage and harvests the plaintext literals from $vectorSearch filter expressions that the application believed were encrypted. No public exploit identified at time of analysis; exploitation is opportunistic and observational rather than requiring a crafted payload, with attack complexity equivalent to reading data the attacker already has access to on the server side.
Remediation Patch availability per vendor advisory is referenced through MongoDB ticket SERVER-123507 (https://jira.mongodb.org/browse/SERVER-123507); operators should upgrade MongoDB Server, the MongoDB drivers, and the crypt_shared / mongocryptd query analyzer to the fixed versions listed in that advisory once published - no exact fix version is enumerated in the provided input. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all MongoDB Server deployments using Queryable Encryption (QE) or Client-Side Field Level Encryption (CSFLE) in combination with $vectorSearch queries, including affected versions and classification of data at risk. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-8053 HIGH
8.7 May 12

Out-of-bounds memory write in MongoDB Server's time-series collection feature enables arbitrary code execution by authen

CVE-2026-4148 HIGH
8.7 Mar 17

MongoDB Server sharded clusters are vulnerable to use-after-free memory corruption when authenticated users with read pe

CVE-2026-9740 HIGH
8.7 Jun 09

Remote unauthenticated denial-of-service in MongoDB Server's BSON validation layer allows attackers to crash the mongod

CVE-2026-9742 HIGH
8.2 Jun 09

Pre-authentication denial-of-service in MongoDB Server allows unauthenticated remote clients to crash the database proce

CVE-2026-8336 HIGH
7.7 May 13

Authenticated users can crash MongoDB Server by chaining specific server-side JavaScript operations ($_internalJsEmit or

CVE-2026-9753 HIGH
7.2 Jun 09

Memory disclosure and denial-of-service in MongoDB Server allows any authenticated user with aggregate command privilege

CVE-2026-9750 HIGH
7.1 Jun 09

MongoDB Server exposes an availability and data integrity risk allowing any low-privileged authenticated user to crash t

CVE-2026-9748 HIGH
7.1 Jun 09

Remote denial-of-service in MongoDB Server allows an authenticated user to crash the mongod process by submitting an agg

CVE-2026-9752 HIGH
7.1 Jun 09

Denial of service in MongoDB Server allows an authenticated user to crash the database process by issuing a geospatial q

CVE-2026-9743 HIGH
7.1 Jun 09

Denial of service in MongoDB Server 8.0 allows authenticated users with aggregation pipeline privileges to crash the ser

CVE-2026-9749 HIGH
7.1 Jun 09

Denial of service in MongoDB Server allows authenticated users to trigger an assertion failure by running aggregation pi

CVE-2026-9747 HIGH
7.1 Jun 09

Denial of service in MongoDB Server allows authenticated remote attackers to crash the database process by submitting ag

Share

EUVD-2026-35859 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy