CVE-2026-8336

medium

Published 2026-05-13 · Modified 2026-05-18

CVSS v3

6.5

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CVSS v2

—

VIR risk

6.5

Description

After invoking $_internalJsEmit, which is not intended to be directly accessible, or mapreduce command’s map function in a certain way, an authenticated user can subsequently crash mongod when the server-side JavaScript engine (through $where, $function, mapreduce reduce stage, etc.) is used also in a specific way, resulting in a post-authentication denial-of-service. This issue impacts MongoDB Server v8.2 versions prior to 8.2.9 and v8.3 versions prior to 8.3.2.

Predictions

Exploit likelihood

75%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: cna@mongodb.com — https://jira.mongodb.org/browse/SERVER-121610

Application impact

Vendor	Product	Versions	Fixed
mongodb	mongodb	`{"startIncluding":"8.2.0","endExcluding":"8.2.9"}`	`8.2.9`

References

https://jira.mongodb.org/browse/SERVER-121610

CWEs

CWE-416

Verify integrity in audit chain (admin only). AS-IS.