Description
Creating a "2dsphere_bucket" index on a non-timeseries bucket collection will succeed, but any subsequent attempt to insert a document which triggers updating that index will crash the server. A similar issue occurs when creating "queryable_encrypted_range" indices.

This issue affects MongoDB Server v7.0 versions prior to 7.0.32, v8.0 versions prior to 8.0.21 and v8.2 versions prior to 8.2.6
Published: 2026-05-18
Score: 7.1 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Creating a "2dsphere_bucket" or "queryable_encrypted_range" index on a non-timeseries bucket collection succeeds, but any subsequent document insertion that requires index update triggers a server crash. The crash disrupts database availability, causing a denial‑of‑service condition for applications relying on the affected MongoDB instance. The vulnerability is a control‑flow disruption identified as CWE‑617.

Affected Systems

MongoDB, Inc. MongoDB Server is affected. Vulnerable versions include 7.0.0 through 7.0.31, 8.0.0 through 8.0.20, and 8.2.0 through 8.2.5. Versions 7.0.32, 8.0.21, and 8.2.6 and later contain the fix.

Risk and Exploitability

The CVSS score of 7.1 indicates a high severity. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, suggesting no widespread exploitation reports yet. The attack requires privileges to create an index and insert data into the target collection, and it is inferred that the threat vector is a privileged or authenticated user or an application with write access to the database, though the specific vector is not explicitly documented. Exploitation would result in an immediate crash of the mongod process, bringing the database to a non‑responsive state until a restart or recovery.

Generated by OpenCVE AI on May 18, 2026 at 17:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest MongoDB Server patch (v7.0.32 or newer, v8.0.21 or newer, v8.2.6 or newer).
  • Avoid creating "2dsphere_bucket" or "queryable_encrypted_range" indexes on non‑timeseries bucket collections; redesign the database schema or change the collection type if such indexes are required.
  • If a patch cannot be applied immediately, prevent document insertions that would activate the problematic index until remediation is performed.

Generated by OpenCVE AI on May 18, 2026 at 17:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 19 May 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Mongodb
Mongodb mongodb
Mongodb mongodb Server
Vendors & Products Mongodb
Mongodb mongodb
Mongodb mongodb Server

Mon, 18 May 2026 16:45:00 +0000

Type Values Removed Values Added
Description Creating a "2dsphere_bucket" index on a non-timeseries bucket collection will succeed, but any subsequent attempt to insert a document which triggers updating that index will crash the server. A similar issue occurs when creating "queryable_encrypted_range" indices. This issue affects MongoDB Server v7.0 versions prior to 7.0.32, v8.0 versions prior to 8.0.21 and v8.2 versions prior to 8.2.6
Title Calling createIndex with certain index types can crash mongod
Weaknesses CWE-617
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Mongodb Mongodb Mongodb Server
cve-icon MITRE

Status: PUBLISHED

Assigner: mongodb

Published:

Updated: 2026-05-18T15:40:06.265Z

Reserved: 2026-05-18T15:26:43.646Z

Link: CVE-2026-8843

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-18T17:16:34.563

Modified: 2026-05-18T20:27:12.817

Link: CVE-2026-8843

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-19T08:18:54Z

Weaknesses