Description
In MongoDB Server 8.0, an aggregation stage can leave its _subPipeline field null during processing of certain pipelines. If a getMore is subsequently issued on the same cursor, the server may dereference this null sub-pipeline when reattaching to the operation context, accessing an invalid address and crashing the process. This issue allows an authenticated user who can run aggregation pipelines to cause a denial of service by issuing a specially crafted aggregation followed by getMore on affected versions.
Published: 2026-06-09
Score: 7.1 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A bug in MongoDB Server 8.0 allows an aggregation stage to leave its _subPipeline field null while processing certain pipelines. When a subsequent getMore is requested on the same cursor, the server may dereference the null subPipeline during reattachment to the operation context, leading to an invalid memory access and crashing the process. The flaw is a null pointer dereference (CWE-476) and results in a denial of service that requires an authenticated user with permission to run aggregation pipelines.

Affected Systems

MongoDB Server 8.0 is vulnerable. The issue is specific to this major version and may not affect earlier releases. Any deployment of this version that permits user-initiated aggregation pipelines is affected.

Risk and Exploitability

The CVSS score of 7.1 indicates a medium to high severity. An attacker needs to authenticate and have the ability to execute custom aggregation queries. The expected attack vector is remote, as long as the attacker can log in to the database with sufficient privileges. EPSS is not available and the vulnerability is not listed in KEV, but any instance that allows user‑supplied aggregation remains at risk until remedied.

Generated by OpenCVE AI on June 9, 2026 at 23:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Restrict aggregation pipeline execution to trusted users or roles to limit the attack surface
  • Monitor database logs for anomalous aggregation and getMore patterns to detect attempted exploitation
  • Apply any available vendor patch for MongoDB Server 8.0 or upgrade to a later release that contains the fix once it is released

Generated by OpenCVE AI on June 9, 2026 at 23:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 01:30:00 +0000

Type Values Removed Values Added
First Time appeared Mongodb
Mongodb mongodb Server
Vendors & Products Mongodb
Mongodb mongodb Server

Tue, 09 Jun 2026 22:30:00 +0000

Type Values Removed Values Added
Description In MongoDB Server 8.0, an aggregation stage can leave its _subPipeline field null during processing of certain pipelines. If a getMore is subsequently issued on the same cursor, the server may dereference this null sub-pipeline when reattaching to the operation context, accessing an invalid address and crashing the process. This issue allows an authenticated user who can run aggregation pipelines to cause a denial of service by issuing a specially crafted aggregation followed by getMore on affected versions.
Title Aggregation sub-pipeline null dereference may allow DoS via crafted getMore
Weaknesses CWE-476
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Mongodb Mongodb Server
cve-icon MITRE

Status: PUBLISHED

Assigner: mongodb

Published:

Updated: 2026-06-09T21:59:34.669Z

Reserved: 2026-05-27T17:34:45.641Z

Link: CVE-2026-9743

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-09T23:17:03.853

Modified: 2026-06-09T23:17:03.853

Link: CVE-2026-9743

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T01:15:18Z

Weaknesses