Description
When using $changestreams and $_requestReshardingResumeToken with the exchange option the server hits an invariant which causes the server to crash. There are no special privileges needed. The user must be logged in to issue the statement.
Published: 2026-06-09
Score: 7.1 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises when the server processes a change stream with the exchange option and the resharding resume token; the implementation hits an invariant that causes the server to crash. No special privileges are required, but the user must be authenticated, meaning any logged‑in user can trigger the crash. This results in denial of service, interrupting normal database operations and potentially affecting availability of the affected system.

Affected Systems

MongoDB Server is affected. The flaw manifests in any deployment that uses $changestreams together with the exchange option and the $_requestReshardingResumeToken parameter. Version information was not provided, so the impact applies to all releases that include the relevant code paths until patched.

Risk and Exploitability

The CVSS score of 7.1 classifies the issue as high severity, and the EPSS score is not available, indicating uncertainty about exploitation frequency. The vulnerability is not listed in the CISA KEV catalog. As it requires authentication, the likely attack vector is an authenticated user, potentially internal or compromised, who can issue a change‑stream command. Because no higher privileges are needed, the risk is primarily to availability rather than confidentiality or integrity.

Generated by OpenCVE AI on June 9, 2026 at 23:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest MongoDB Server security update that resolves the invariant bug.
  • Disable or restrict the use of the exchange option in change streams until a patch is applied.
  • Configure automated monitoring or service restarts to recover from unexpected crashes.

Generated by OpenCVE AI on June 9, 2026 at 23:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 01:00:00 +0000

Type Values Removed Values Added
First Time appeared Mongodb
Mongodb mongodb Server
Vendors & Products Mongodb
Mongodb mongodb Server

Tue, 09 Jun 2026 22:30:00 +0000

Type Values Removed Values Added
Description When using $changestreams and $_requestReshardingResumeToken with the exchange option the server hits an invariant which causes the server to crash. There are no special privileges needed. The user must be logged in to issue the statement.
Title Server crashes in case of the use of exchange
Weaknesses CWE-617
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Mongodb Mongodb Server
cve-icon MITRE

Status: PUBLISHED

Assigner: mongodb

Published:

Updated: 2026-06-09T22:02:12.772Z

Reserved: 2026-05-27T17:46:08.428Z

Link: CVE-2026-9746

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-09T23:17:03.980

Modified: 2026-06-09T23:17:03.980

Link: CVE-2026-9746

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T00:45:17Z

Weaknesses