Description
After invoking $_internalJsEmit, which is not intended to be directly accessible, or mapreduce command’s map function in a certain way, an authenticated user can subsequently crash mongod when the server-side JavaScript engine (through $where, $function, mapreduce reduce stage, etc.) is used also in a specific way, resulting in a post-authentication denial-of-service.

This issue impacts MongoDB Server v7.0 versions prior to 7.0.34, v8.0 versions prior to 8.0.23, v8.2 versions prior to 8.2.9 and v8.3 versions prior to 8.3.2.
Published: 2026-05-13
Score: 7.7 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

After invoking an internal JavaScript helper or a mapreduce map function in a specific way, an attacker who has authenticated access can crash the MongoDB server. The flaw is a post‑authentication use‑after‑free that terminates mongod, thereby denying service. This disrupts availability and can force an outage of the database service for all users. The vulnerability originates from improper memory handling in the server‑side JavaScript engine, as classified by CWE‑416.

Affected Systems

MongoDB Server, versions 7.0 before 7.0.34, 8.0 before 8.0.23, 8.2 before 8.2.9, and 8.3 before 8.3.2 are vulnerable.

Risk and Exploitability

The CVSS score of 7.7 marks this issue as high severity. No EPSS data is available and the vulnerability is not yet in the CISA KEV catalog. Because the flaw requires authenticated access, the attack vector is typically a locally authenticated or remotely authenticated threat, depending on how the database is exposed. An attacker can trigger the crash by crafting commands that use $where, $function, or the mapreduce reduce stage, leading to a denial of service for all users.

Generated by OpenCVE AI on May 13, 2026 at 01:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade MongoDB Server to 7.0.34 or newer, 8.0.23 or newer, 8.2.9 or newer, or 8.3.2 or newer.
  • Restrict or disable use of $where, $function, and mapreduce functions for users without strict privileges, limiting the ability to invoke internal JavaScript functions.
  • Ensure that user accounts have the least privilege necessary, avoiding granting roles that allow arbitrary server‑side JavaScript execution.

Generated by OpenCVE AI on May 13, 2026 at 01:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 13 May 2026 00:30:00 +0000

Type Values Removed Values Added
Description After invoking $_internalJsEmit, which is not intended to be directly accessible, or mapreduce command’s map function in a certain way, an authenticated user can subsequently crash mongod when the server-side JavaScript engine (through $where, $function, mapreduce reduce stage, etc.) is used also in a specific way, resulting in a post-authentication denial-of-service. This issue impacts MongoDB Server v7.0 versions prior to 7.0.34, v8.0 versions prior to 8.0.23, v8.2 versions prior to 8.2.9 and v8.3 versions prior to 8.3.2.
Title Post-authentication use-after-free error in $_internalJsEmit and mapreduce commands
Weaknesses CWE-416
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 7.7, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/AU:N/R:A/V:D/RE:M/U:Red'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: mongodb

Published:

Updated: 2026-05-13T00:16:16.568Z

Reserved: 2026-05-11T15:37:59.492Z

Link: CVE-2026-8336

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-13T01:45:16Z

Weaknesses