—–BEGIN PGP SIGNED MESSAGE—–

Hash: SHA256

Multiple Vulnerabilities in MongoDB

Indian – Computer Emergency Response Team (https://www.cert-in.org.in)

Severity Rating: HIGH

Software Affected

MongoDB Server v5.0 versions prior to 5.0.33

MongoDB Server v6.0 versions prior to 6.0.28

MongoDB Server v7.0 versions prior to 7.0.34

MongoDB Server v8.0 versions prior to 8.0.23

MongoDB Server v8.2 versions prior to 8.2.9

MongoDB Server v8.3 versions prior to 8.3.2

MongoDB Ops Manager versions prior to 8.0.22 and 8.0.22

MongoDB Ops Manager version 7.0

Overview

Multiple vulnerabilities have been identified in MongoDB Server and Ops Manager that could allow attackers to cause service disruption, resource exhaustion, memory corruption, arbitrary code execution and potential compromise of the targeted system.

Target Audience:

All end-user organizations and individuals using MongoDB products.

Risk Assessment:

High risk of unauthorized access to sensitive information.

Impact Assessment:

Potential of denial-of-service, memory corruption and system compromised.

Description

MongoDB is a document-oriented database platform that stores data in flexible, JSON-like documents instead of traditional tables and rows, enabling scalable and efficient handling of large, dynamic and unstructured datasets.

These vulnerabilities exist in MongoDB Server due to an out-of-bounds memory write issue in the time-series collection implementation, excessive memory consumption through bitwise match expression processing, improper handling of server-side JavaScript execution, insufficient validation during query processing operations, a use-after-free condition and improper memory handling in internal processing components. These flaws could allow authenticated attackers to trigger memory corruption, resource exhaustion, denial of service (DoS) conditions, and under certain circumstances, arbitrary code execution by using specially crafted requests and expressions.

Successful exploitation may result in service disruption, resource exhaustion, memory corruption, arbitrary code execution and potential compromise of the targeted system.

Solution

Apply appropriate updates as mentioned in:

https://www.mongodb.com/resources/products/alerts#security

Vendor Information

MongoDB

https://www.mongodb.com/resources/products/alerts#security

References

 

https://jira.mongodb.org/browse/SERVER-120668

https://jira.mongodb.org/browse/SERVER-121610

https://jira.mongodb.org/browse/SERVER-122032

https://jira.mongodb.org/browse/SERVER-122449

https://jira.mongodb.org/browse/SERVER-126021

https://www.mongodb.com/docs/ops-manager/current/release-notes/application/#onprem-server-8.0.23

CVE Name

CVE-2026-8053

CVE-2026-8199

CVE-2026-8201

CVE-2026-8202

CVE-2026-8336

CVE-2026-8431

– —

Thanks and Regards,

CERT-In

Incident Response Help Desk

e-mail: incident@cert-in.org.in

Phone: +91-11-22902657

Toll Free Number: 1800-11-4949

Toll Free Fax : 1800-11-6969

Web: http://www.cert-in.org.in

PGP Fingerprint: A768 083E 4475 5725 B81A A379 2156 C0C0 B620 D0B4

PGP Key information:

https://www.cert-in.org.in/s2cMainServlet?pageid=CONTACTUS

Postal address:

Indian Computer Emergency Response Team (CERT-In)

Ministry of Electronics and Information Technology

Government of India

Electronics Niketan

6, C.G.O. Complex

New Delhi-110 003

—–BEGIN PGP SIGNATURE—–

iQIzBAEBCAAdFiEE6r4Iam/Ey0c/KakL3jCgcSdcys8FAmoPHt4ACgkQ3jCgcSdc

ys+oPhAAqlFZZQrnQ5fjsnszwSlanM8lKOBaM39xLezr1pATe+vvdRDzV0s10q7s

9NgYWiSqPUwDfj35LJoNJx+e1KR9/UFQN9SlWn6btP2iTM/ztpQu7GcbYr4Y2mhI

cJfulMVyScgBej0+IhB8u+3ylhLaHj3lN6IMb+AQhfM/CP3uQA6EzRPWlR3TfX13

djxxDdwf3AIlgfUvXPyyI5UkHzQtxMEDdn3XfTVfRbBr7khOsoaFYeZPH0Q5iFdf

pBXoip2gfjI9OzOzeztDiuYoQ1spuAnmjuhJS5o9kElSA6/WYFdUXCZ4wio9zduR

SRK3tfSKMP7KwBJXDh5eQf5cdJmIVdQdIhYatrfotfp3YQ84W+uwhmNmJr+66Rdf

PkNWCE88g+KzFgulJD/cNAFiYrICtCP9c8ltY4BWqMcdhA+DSTA5iJ+bbPqDoocK

CnySdom/0JReJFWtUo+ApxL/eH5qzpmXqXbFJnT8jldUq/0wADC2eg7/KUFWlmum

hJ1wOvq11o9wp01TW/ZEmBgGAKJT7XZPSxgXFp6MD2zYKyxpwv4iEcNfo8yPs89t

3W/+8qaKgJt76Q99fTFG22oUedUASKkF37eEbSDasAdJC2YCT+S3LXj+CzG/gaHW

CfvEqhXxT5U1lgTkqRfyZR7FMm5PY0aiSow2ym9NruQUDZ6Iwjc=

=bTVr

—–END PGP SIGNATURE—–