Description
A use-after-free vulnerability exists in MongoDB Server's server-side JavaScript engine when converting BSON documents to JavaScript arrays. An authenticated user with read privileges who is able to run server-side JavaScript (for example, via $where or $function) can cause the server to access memory that has already been freed. This may result in disclosure of information from the mongod process memory or a denial of service through a server crash.
Published: 2026-06-12
Score: 8.7 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a use‑after‑free in MongoDB Server’s server‑side JavaScript engine used during BSON‑to‑array conversion. When an authenticated user with read permissions can execute JavaScript by using operators such as $where or $function, the server may dereference freed memory. This can reveal private data from the mongod process or cause an immediate crash, leading to a denial of service. The flaw is a classic use‑after‑free (CWE‑787).

Affected Systems

Affected systems include all MongoDB Server installations that expose the server‑side JavaScript runtime. Any version that accepts $where or $function calls in queries is vulnerable, regardless of deployment size. Version ranges are not enumerated in the data, so all installations that have not applied the referenced Jira fix are considered at risk.

Risk and Exploitability

The CVSS score of 8.7 reflects a high‑severity condition, though the EPSS score is not available, so the current exploitation probability is unknown. The vulnerability is not listed in CISA’s KEV catalog. To exploit it, an attacker must first authenticate with sufficient privileges to run server‑side JavaScript; the attack vector is thus purely authenticated. Once there, the attacker can trigger the use‑after‑free by submitting a specially crafted BSON document, potentially reading sensitive memory or crashing the server.

Generated by OpenCVE AI on June 12, 2026 at 03:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade MongoDB to a version that includes the fix for SERVER-128125.
  • Disable server‑side JavaScript execution by removing $where and $function operators from queries or setting the JavaScript engine to read‑only mode.
  • Restrict authorized users to the minimal privileges required, ensuring that accounts that cannot run server‑side JavaScript do not have read access.

Generated by OpenCVE AI on June 12, 2026 at 03:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 12 Jun 2026 03:45:00 +0000

Type Values Removed Values Added
First Time appeared Mongodb
Mongodb mongodb
Vendors & Products Mongodb
Mongodb mongodb

Fri, 12 Jun 2026 02:15:00 +0000

Type Values Removed Values Added
Description A use-after-free vulnerability exists in MongoDB Server's server-side JavaScript engine when converting BSON documents to JavaScript arrays. An authenticated user with read privileges who is able to run server-side JavaScript (for example, via $where or $function) can cause the server to access memory that has already been freed. This may result in disclosure of information from the mongod process memory or a denial of service through a server crash.
Title Post-authentication use-after-free in server-side JavaScript BSON-to-array conversion
Weaknesses CWE-787
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Mongodb Mongodb
cve-icon MITRE

Status: PUBLISHED

Assigner: mongodb

Published:

Updated: 2026-06-12T01:58:46.264Z

Reserved: 2026-06-10T18:54:51.125Z

Link: CVE-2026-11933

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-12T02:16:38.527

Modified: 2026-06-12T02:16:38.527

Link: CVE-2026-11933

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-12T03:30:12Z

Weaknesses