Description
Adding fromRouter:true and runtimeConstants.userRoles could cause aggregations to crash mongodb server.
Published: 2026-06-09
Score: 7.1 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows attackers to cause MongoDB Server to crash by submitting a specially crafted aggregation request that includes fromRouter:true and runtimeConstants.userRoles. This results in a server crash, leading to denial of service for all applications using that instance. The flaw is due to an improper handling of certain aggregation parameters (CWE‑617).

Affected Systems

The affected product is MongoDB Server. No specific version numbers are disclosed in the advisory. All deployments that could run arbitrary aggregation commands are potentially impacted.

Risk and Exploitability

The CVSS score of 7.1 indicates a high severity. The EPSS score is not available, so exploitation likelihood cannot be quantified, and the vulnerability is not currently listed in the CISA KEV catalog. Attackers would need network access to submit the malicious aggregation request, most likely over the normal mongod port. Once executed, the server crashes, causing downtime until a restart.

Generated by OpenCVE AI on June 10, 2026 at 00:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest MongoDB Server release that contains the fix for SERVER‑123918.
  • Restrict aggregation command execution to users with explicit privileges, such as by configuring role‑based access controls and removing the default ability to set fromRouter or runtimeConstants.
  • Deploy network segmentation or firewall rules to limit external hosts from reaching the mongod port, and enable monitoring to alert on unexpected process restarts.

Generated by OpenCVE AI on June 10, 2026 at 00:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 01:00:00 +0000

Type Values Removed Values Added
First Time appeared Mongodb
Mongodb mongodb Server
Vendors & Products Mongodb
Mongodb mongodb Server

Tue, 09 Jun 2026 22:30:00 +0000

Type Values Removed Values Added
Description Adding fromRouter:true and runtimeConstants.userRoles could cause aggregations to crash mongodb server.
Title Crafted cross-shard merge aggregation crashes MongoDB Server
Weaknesses CWE-617
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Mongodb Mongodb Server
cve-icon MITRE

Status: PUBLISHED

Assigner: mongodb

Published:

Updated: 2026-06-09T22:05:24.209Z

Reserved: 2026-05-27T17:46:34.140Z

Link: CVE-2026-9747

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-09T23:17:04.120

Modified: 2026-06-09T23:17:04.120

Link: CVE-2026-9747

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T00:45:17Z

Weaknesses