Description
An authenticated user can cause a MongoDB server to crash or return incorrect results by creating documents that interfere with internal metadata processing during query execution. This stems from insufficient separation between user-controlled document fields and internal metadata in certain execution paths.
Published: 2026-06-09
Score: 7.1 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A vulnerability in MongoDB Server allows an authenticated user to cause a server crash or return incorrect results by creating documents that interfere with internal metadata processing during query execution. This occurs due to insufficient separation between user-controlled fields and internal metadata, leading to potential denial of service and integrity violations.

Affected Systems

MongoDB Server is affected. No specific version information is provided in the available data, so all releases of MongoDB Server potentially carry this issue until a fix is applied.

Risk and Exploitability

The CVSS score of 7.1 indicates a high severity. The EPSS score is not available, so exploitation likelihood is uncertain, but the vulnerability requires authentication, implying that an attacker must have valid credentials or gain access through other means. The issue is not listed in CISA's KEV catalog, suggesting that there are no confirmed widespread attacks yet. The vulnerable paths involve writing documents with $‑prefixed fields that the server treats as internal metadata, leading to a crash or incorrect responses during query execution.

Generated by OpenCVE AI on June 10, 2026 at 00:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest MongoDB Server release that contains the fix for this vulnerability
  • Restrict or remove write permissions from accounts that are not required to create or modify documents
  • Audit the application to ensure that $‑prefixed fields are not used in user‑controlled input

Generated by OpenCVE AI on June 10, 2026 at 00:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 02:45:00 +0000

Type Values Removed Values Added
First Time appeared Mongodb
Mongodb mongodb Server
Vendors & Products Mongodb
Mongodb mongodb Server

Tue, 09 Jun 2026 23:00:00 +0000

Type Values Removed Values Added
Description An authenticated user can cause a MongoDB server to crash or return incorrect results by creating documents that interfere with internal metadata processing during query execution. This stems from insufficient separation between user-controlled document fields and internal metadata in certain execution paths.
Title Metadata name collision on $-prefixed fields causes post-auth server crash
Weaknesses CWE-617
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Mongodb Mongodb Server
cve-icon MITRE

Status: PUBLISHED

Assigner: mongodb

Published:

Updated: 2026-06-09T22:17:08.144Z

Reserved: 2026-05-27T17:48:04.380Z

Link: CVE-2026-9750

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-09T23:17:04.510

Modified: 2026-06-09T23:17:04.510

Link: CVE-2026-9750

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T02:30:05Z

Weaknesses