CVE-2026-8063

medium

Published 2026-05-07 · Modified 2026-05-11

CVSS v3

6.5

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CVSS v2

—

VIR risk

6.5

Description

An authenticated user can crash mongod when running $rankFusion or $scoreFusion with an empty pipeline on a view. When resolving a view, the server inspects the aggregation pipeline to determine whether it begins with an Atlas Search stage. For $rankFusion and $scoreFusion, this inspection reads the first element on each stage’s input pipeline array without first verifying that the array is non-empty. Supplying an empty pipeline causes a null pointer dereference and crashes the server. This issue affects MongoDB Server 8.2 versions prior to 8.2.7.

Predictions

Exploit likelihood

75%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: cna@mongodb.com — https://jira.mongodb.org/browse/SERVER-121851

Application impact

Vendor	Product	Versions	Fixed
mongodb	mongodb	`{"startIncluding":"8.2.0","endExcluding":"8.2.7"}`	`8.2.7`

References

https://jira.mongodb.org/browse/SERVER-121851

CWEs

CWE-476

Verify integrity in audit chain (admin only). AS-IS.