Description
Using a densely populated chars mask and a large input string in the MongoDB aggregation operators $trim, $ltrim, and $rtrim, an authenticated user with aggregation permissions can pin CPU utilization at 100% for an extended period of time.

This issue impacts MongoDB Server v7.0 versions prior to 7.0.34, v8.0 versions prior to 8.0.23, v8.2 versions prior to 8.2.9 and v8.3 versions prior to 8.3.2.
Published: 2026-05-13
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A malicious or careless authenticated user can construct an aggregation query that includes the $trim, $ltrim, or $rtrim operators with a densely populated character mask and a large input string. The database engine spends excessive CPU time processing each of these operators, causing the server CPU usage to spike to 100%. The attack can keep the CPU load elevated for an extended period, effectively denying service to other operations on the same server.

Affected Systems

MongoDB Server versions prior to 7.0.34, 8.0.23, 8.2.9, and 8.3.2 are affected. The vulnerability applies to any installation of these releases that has enabled aggregation functions for authenticated users.

Risk and Exploitability

The CVSS base score of 5.3 indicates a moderate severity. Because the exploit requires authentication with proper aggregation permissions, the risk is limited to accounts that already possess such privileges. EPSS data is not available, and the issue is not listed in the CISA KEV catalog, so there is no evidence of active exploitation. Nevertheless, any privileged user can self‑scope the denial-of-service for a prolonged duration, impacting availability for all users of that MongoDB instance.

Generated by OpenCVE AI on May 13, 2026 at 02:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade MongoDB Server to at least version 7.0.34, 8.0.23, 8.2.9, or 8.3.2, which contain the fix for the CPU‑utilization issue
  • Limit the aggregation privileges to only trusted and verified accounts, removing unnecessary users from the aggregation permission set
  • Configure system or application‑level resource limits (e.g., CPU throttling or query execution timeouts) for aggregation queries to mitigate potential denial‑of‑service impact

Generated by OpenCVE AI on May 13, 2026 at 02:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 13 May 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Mongodb
Mongodb mongodb
Mongodb mongodb Server
Vendors & Products Mongodb
Mongodb mongodb
Mongodb mongodb Server

Wed, 13 May 2026 02:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 13 May 2026 01:30:00 +0000

Type Values Removed Values Added
Description Using a densely populated chars mask and a large input string in the MongoDB aggregation operators $trim, $ltrim, and $rtrim, an authenticated user with aggregation permissions can pin CPU utilization at 100% for an extended period of time. This issue impacts MongoDB Server v7.0 versions prior to 7.0.34, v8.0 versions prior to 8.0.23, v8.2 versions prior to 8.2.9 and v8.3 versions prior to 8.3.2.
Title Post-authentication CPU utilization DoS via $trim/$ltrim/$rtrim operators
Weaknesses CWE-770
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Mongodb Mongodb Mongodb Server
cve-icon MITRE

Status: PUBLISHED

Assigner: mongodb

Published:

Updated: 2026-05-13T01:38:09.751Z

Reserved: 2026-05-08T23:43:11.551Z

Link: CVE-2026-8202

cve-icon Vulnrichment

Updated: 2026-05-13T01:38:05.952Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-05-13T04:17:42.037

Modified: 2026-05-13T15:34:29.847

Link: CVE-2026-8202

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-13T10:35:04Z

Weaknesses