Description
An administrative user with access to configure webhooks can execute arbitrary commands by configuring and then triggering webhooks containing specific FreeMarker template syntax. 



This issue affects all MongoDB Ops Manager 7.0 versions and MongoDB Ops Manager versions 8.0.22 and prior.
Published: 2026-05-12
Score: 9.4 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A remote command execution flaw exists in MongoDB Ops Manager; administrators who can configure webhooks can embed FreeMarker template syntax that is executed on the server. The vulnerability is a classic command injection weakness (CWE‑77). An attacker who gains access to webhook configuration can run arbitrary shell commands with the privileges of the Ops Manager service, potentially compromising the entire server, its underlying OS, and any protected data.

Affected Systems

All MongoDB Ops Manager 7.0 releases and all Ops Manager versions 8.0.22 and earlier are affected. The flaw is present in the Ops Manager product from MongoDB, Inc. Versions newer than 8.0.22, including 8.0.23 and later, contain the fix as announced in the release notes.

Risk and Exploitability

The CVSS score of 9.4 marks this as a critical vulnerability, and the EPSS score is currently not available, but a lack of mitigation in the field makes exploitation likely. The vulnerability is not listed in the CISA KEV catalog. Attackers can trigger the flaw by creating a malicious webhook from an administrative account and then sending a request to activate it, which is a feasible attack vector for insiders or compromised administrators.

Generated by OpenCVE AI on May 12, 2026 at 21:14 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade MongoDB Ops Manager to version 8.0.23 or later, or any release that is newer than the affected 8.0.22 threshold.
  • In environments where an upgrade cannot be performed immediately, block external access to the /webhook endpoint and restrict webhook configuration to trusted users only.
  • If disabling webhooks temporarily is possible, configure Ops Manager to reject or sandbox all template rendering operations until a patch is applied.

Generated by OpenCVE AI on May 12, 2026 at 21:14 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 12 May 2026 23:30:00 +0000

Type Values Removed Values Added
First Time appeared Mongodb
Mongodb ops Manager
Vendors & Products Mongodb
Mongodb ops Manager

Tue, 12 May 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 12 May 2026 19:00:00 +0000

Type Values Removed Values Added
Description An administrative user with access to configure webhooks can execute arbitrary commands by configuring and then triggering webhooks containing specific FreeMarker template syntax.  This issue affects all MongoDB Ops Manager 7.0 versions and MongoDB Ops Manager versions 8.0.22 and prior.
Title Ops Manager RCE via webhook body
Weaknesses CWE-77
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 9.4, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}

Subscriptions

Mongodb Ops Manager
cve-icon MITRE

Status: PUBLISHED

Assigner: mongodb

Published:

Updated: 2026-05-12T20:24:26.765Z

Reserved: 2026-05-12T18:08:49.561Z

Link: CVE-2026-8431

cve-icon Vulnrichment

Updated: 2026-05-12T20:24:18.808Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-12T19:16:34.847

Modified: 2026-05-13T15:34:29.847

Link: CVE-2026-8431

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T23:15:26Z

Weaknesses