Description
An authenticated user can crash mongod when running $rankFusion or $scoreFusion with an empty pipeline on a view.

When resolving a view, the server inspects the aggregation pipeline to determine whether it begins with an Atlas Search stage. For $rankFusion and $scoreFusion, this inspection reads the first element on each stage’s input pipeline array without first verifying that the array is non-empty. Supplying an empty pipeline causes a null pointer dereference and crashes the server.

This issue affects MongoDB Server 8.2 versions prior to 8.2.7.
Published: 2026-05-07
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a null pointer dereference that occurs when an authenticated user runs $rankFusion or $scoreFusion on a view with an empty pipeline. The result is a crash of the mongod process, leading to a denial of service that can affect all clients connected to the database instance. No direct data disclosure or tampering is possible, but the loss of service can disrupt business operations.

Affected Systems

Affected versions are MongoDB Server 8.2 versions earlier than 8.2.7. The issue tracks to MongoDB Inc. and can be mitigated by upgrading to the supported 8.2.7 release or later.

Risk and Exploitability

With a CVSS score of 7.1, the severity is moderate, and the scheduler does not indicate an exploit probability (EPSS not available). The vulnerability is not listed in KEV but could still be exploited by users that have legitimate access to the database. The attack requires only authentication and the ability to invoke the aggregation framework; it does not rely on network exposure, so the primary vector is local or internal access.

Generated by OpenCVE AI on May 7, 2026 at 06:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to MongoDB Server 8.2.7 or later.
  • Avoid using $rankFusion or $scoreFusion with an empty pipeline by ensuring the pipeline array contains at least one stage before execution.
  • Monitor mongod logs for crash indicators and apply the fix as soon as possible.

Generated by OpenCVE AI on May 7, 2026 at 06:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 07 May 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Mongodb
Mongodb mongodb Server
Vendors & Products Mongodb
Mongodb mongodb Server

Thu, 07 May 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 07 May 2026 05:30:00 +0000

Type Values Removed Values Added
Description An authenticated user can crash mongod when running $rankFusion or $scoreFusion with an empty pipeline on a view. When resolving a view, the server inspects the aggregation pipeline to determine whether it begins with an Atlas Search stage. For $rankFusion and $scoreFusion, this inspection reads the first element on each stage’s input pipeline array without first verifying that the array is non-empty. Supplying an empty pipeline causes a null pointer dereference and crashes the server. This issue affects MongoDB Server 8.2 versions prior to 8.2.7.
Title Post-auth null pointer dereference when aggregating against a view with empty search pipeline
Weaknesses CWE-476
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Mongodb Mongodb Server
cve-icon MITRE

Status: PUBLISHED

Assigner: mongodb

Published:

Updated: 2026-05-07T12:58:36.281Z

Reserved: 2026-05-07T04:02:07.119Z

Link: CVE-2026-8063

cve-icon Vulnrichment

Updated: 2026-05-07T12:58:32.585Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-07T06:16:05.723

Modified: 2026-05-07T15:11:09.037

Link: CVE-2026-8063

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-07T21:25:06Z

Weaknesses