Description
A bug in query analysis processing of the $vectorSearch aggregation stage for Queryable Encryption (QE) or Client-Side Field Level Encryption (CSFLE) results in literal values for encrypted fields within the $vectorSearch stage filter expressions to be sent to the server as plaintext instead of ciphertext.
Published: 2026-06-09
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in MongoDB Server’s query analysis for the $vectorSearch aggregation stage used with Queryable Encryption or Client‑Side Field Level Encryption causes literal values of encrypted fields in filter expressions to be sent to the server as plaintext instead of ciphertext. This results in the cleartext disclosure of sensitive data that should be protected by encryption, representing a clear‑text transmission vulnerability (CWE‑319).

Affected Systems

MongoDB Server is the affected product. The specific MongoDB Server versions that are vulnerable are not listed in the CVE data; administrators should consult MongoDB release notes or the referenced JIRA issue for detailed version information.

Risk and Exploitability

The escalation path requires an attacker to submit an aggregate query that includes encrypted fields in $vectorSearch. The CVSS score of 7.1 indicates a high severity risk, while the EPSS score is not provided, leaving the exploitation probability uncertain. The vulnerability is not listed in the CISA KEV catalog. Because the flaw leaks plaintext values to the server side, an attacker with query capability or network visibility can recover encrypted data, leading to potential data confidentiality loss. No public exploit is currently documented, but the weakness warrants immediate remediation.

Generated by OpenCVE AI on June 9, 2026 at 23:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade MongoDB Server to a version that contains the fix for the $vectorSearch query analysis flaw.
  • As a temporary measure, avoid using $vectorSearch queries that involve encrypted fields until a patch is applied; instead perform the necessary decryption client‑side or use alternative query pathways.
  • Restrict database query permissions so that only trusted applications can execute aggregation stages, thereby limiting the ability of attackers to craft malicious $vectorSearch queries.
  • Ensure that TLS is configured for all client‑to‑server connections to protect any transmitted data, even though the flaw involves server‑side plaintext handling.
  • Review application code to confirm that encryption keys are not exposed or logged in plaintext during query construction.

Generated by OpenCVE AI on June 9, 2026 at 23:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 10 Jun 2026 11:30:00 +0000

Type Values Removed Values Added
First Time appeared Mongodb
Mongodb mongodb Server
Vendors & Products Mongodb
Mongodb mongodb Server

Tue, 09 Jun 2026 22:30:00 +0000

Type Values Removed Values Added
Description A bug in query analysis processing of the $vectorSearch aggregation stage for Queryable Encryption (QE) or Client-Side Field Level Encryption (CSFLE) results in literal values for encrypted fields within the $vectorSearch stage filter expressions to be sent to the server as plaintext instead of ciphertext.
Title Client side encryption fails to encrypt values in a $vectorSearch
Weaknesses CWE-319
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Mongodb Mongodb Server
cve-icon MITRE

Status: PUBLISHED

Assigner: mongodb

Published:

Updated: 2026-06-10T13:21:39.157Z

Reserved: 2026-05-27T17:33:47.392Z

Link: CVE-2026-9741

cve-icon Vulnrichment

Updated: 2026-06-10T13:21:33.839Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-09T23:17:03.583

Modified: 2026-06-10T19:43:28.857

Link: CVE-2026-9741

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T11:21:57Z

Weaknesses
  • CWE-319

    Cleartext Transmission of Sensitive Information