Description
A use-after-free vulnerability can be triggered in sharded clusters by an authenticated user with the read role who issues a specially crafted $lookup or $graphLookup aggregation pipeline.
Published: 2026-03-17
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Memory corruption potentially leading to denial of service or code execution
Action: Immediate Patch
AI Analysis

Impact

This vulnerability is a use‑after‑free flaw in MongoDB’s legacy ExpressionContext handling within the $lookup and $graphLookup aggregation operators. If successfully triggered, the flaw can corrupt memory that may lead to a crash or arbitrary code execution. The flaw is described as a "use‑after‑free" bug, which corresponds to CWE‑416.

Affected Systems

Affected only the MongoDB Server product from MongoDB Inc. The vulnerability is limited to sharded cluster deployments and requires an authenticated user. No specific vulnerable version numbers are supplied in the data, so affected releases are not identified.

Risk and Exploitability

The CVSS score of 8.7 indicates a high severity level. EPSS data is not provided, and the vulnerability is not listed in the CISA KEV catalog. The attack vector can be inferred as requiring access to a sharded cluster and the ability to submit a specially crafted aggregation pipeline as an authenticated user with the read role. The fix would need to be applied to eliminate the use‑after‑free condition. In the absence of a publicly available exploit, the risk remains primarily theoretical but significant given the high CVSS rating.

Generated by OpenCVE AI on March 17, 2026 at 17:13 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check the MongoDB website or vendor portal for a patch that addresses CVE-2026-4148 and apply the latest update.
  • If an immediate patch is unavailable, limit users with the read role from executing $lookup or $graphLookup pipelines in sharded clusters.
  • Implement monitoring of aggregation pipeline usage to detect anomalous activity that may indicate exploitation attempts.

Generated by OpenCVE AI on March 17, 2026 at 17:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 18 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Mongodb
Mongodb mongodb Server
Vendors & Products Mongodb
Mongodb mongodb Server

Tue, 17 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 17 Mar 2026 16:00:00 +0000

Type Values Removed Values Added
Description A use-after-free vulnerability can be triggered in sharded clusters by an authenticated user with the read role who issues a specially crafted $lookup or $graphLookup aggregation pipeline.
Title ExpressionContext use-after-free in classic engine $lookup and $graphLookup aggregation operators
Weaknesses CWE-416
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Mongodb Mongodb Server
cve-icon MITRE

Status: PUBLISHED

Assigner: mongodb

Published:

Updated: 2026-03-18T03:55:44.426Z

Reserved: 2026-03-13T17:18:13.718Z

Link: CVE-2026-4148

cve-icon Vulnrichment

Updated: 2026-03-17T16:10:20.716Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-17T16:16:23.807

Modified: 2026-03-18T14:52:44.227

Link: CVE-2026-4148

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-24T10:49:09Z

Weaknesses