Description
A bug in query analysis processing of the $vectorSearch aggregation stage for Queryable Encryption (QE) or Client-Side Field Level Encryption (CSFLE) results in literal values for encrypted fields within the $vectorSearch stage filter expressions to be sent to the server as plaintext instead of ciphertext.
Published: 2026-06-09
Score: 7.1 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in MongoDB Server’s query analysis for the $vectorSearch aggregation stage used with Queryable Encryption or Client‑Side Field Level Encryption causes literal values of encrypted fields in filter expressions to be sent to the server as plaintext instead of ciphertext. This results in the cleartext disclosure of sensitive data that should be protected by encryption, representing a clear‑text transmission vulnerability (CWE‑319).

Affected Systems

MongoDB Server is the affected product. The specific MongoDB Server versions that are vulnerable are not listed in the CVE data; administrators should consult MongoDB release notes or the referenced JIRA issue for detailed version information.

Risk and Exploitability

The escalation path requires an attacker to submit an aggregate query that includes encrypted fields in $vectorSearch. The CVSS score of 7.1 indicates a high severity risk, while the EPSS score is not provided, leaving the exploitation probability uncertain. The vulnerability is not listed in the CISA KEV catalog. Because the flaw leaks plaintext values to the server side, an attacker with query capability or network visibility can recover encrypted data, leading to potential data confidentiality loss. No public exploit is currently documented, but the weakness warrants immediate remediation.

Generated by OpenCVE AI on June 9, 2026 at 23:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade MongoDB Server to a version that contains the fix for the $vectorSearch query analysis flaw.
  • As a temporary measure, avoid using $vectorSearch queries that involve encrypted fields until a patch is applied; instead perform the necessary decryption client‑side or use alternative query pathways.
  • Restrict database query permissions so that only trusted applications can execute aggregation stages, thereby limiting the ability of attackers to craft malicious $vectorSearch queries.
  • Ensure that TLS is configured for all client‑to‑server connections to protect any transmitted data, even though the flaw involves server‑side plaintext handling.
  • Review application code to confirm that encryption keys are not exposed or logged in plaintext during query construction.

Generated by OpenCVE AI on June 9, 2026 at 23:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 09 Jun 2026 22:30:00 +0000

Type Values Removed Values Added
Description A bug in query analysis processing of the $vectorSearch aggregation stage for Queryable Encryption (QE) or Client-Side Field Level Encryption (CSFLE) results in literal values for encrypted fields within the $vectorSearch stage filter expressions to be sent to the server as plaintext instead of ciphertext.
Title Client side encryption fails to encrypt values in a $vectorSearch
Weaknesses CWE-319
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: mongodb

Published:

Updated: 2026-06-09T21:56:01.111Z

Reserved: 2026-05-27T17:33:47.392Z

Link: CVE-2026-9741

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-09T23:17:03.583

Modified: 2026-06-09T23:17:03.583

Link: CVE-2026-9741

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T23:30:05Z

Weaknesses