Description
The $_internalApplyOplogUpdate aggregation pipeline stage can be used to execute a document diff containing a malformed binary diff to return memory out-of-bounds or crash the server. $_internalApplyOplogUpdate can be executed by any authenticated user with access to the aggregate command.
Published: 2026-06-09
Score: 7.2 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The $_internalApplyOplogUpdate aggregation pipeline stage can process a document diff that includes a malformed binary diff, leading to out‑of‑bounds memory access or a server crash. This can cause a denial of service by taking the MongoDB Server down. The weakness is a memory corruption flaw (CWE‑1287).

Affected Systems

The vulnerability affects MongoDB Server. No specific version information is provided, so all installations of the product may be vulnerable until a patch is released.

Risk and Exploitability

The CVSS score of 7.2 indicates a high severity, and the EPSS score is not available, so the current exploitation probability is unknown. The vulnerability is not listed in CISA KEV. Attackers need to be authenticated and possess permission to run aggregate commands, which limits the threat surface to privileged users. If those privileges are abused, the impact is a service disruption.

Generated by OpenCVE AI on June 10, 2026 at 00:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest MongoDB Server update once vendor releases a fix for the $_internalApplyOplogUpdate issue.
  • Restrict access to the aggregate command to the minimum set of users who truly need it, using role‑based access control.
  • Enable audit logging for aggregate commands and regularly review logs for anomalous activity.

Generated by OpenCVE AI on June 10, 2026 at 00:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 09 Jun 2026 23:00:00 +0000

Type Values Removed Values Added
Description The $_internalApplyOplogUpdate aggregation pipeline stage can be used to execute a document diff containing a malformed binary diff to return memory out-of-bounds or crash the server. $_internalApplyOplogUpdate can be executed by any authenticated user with access to the aggregate command.
Title Server crash via malformed binary diff passed to $_internalApplyOplogUpdate.
Weaknesses CWE-1287
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H'}

cvssV4_0

{'score': 7.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: mongodb

Published:

Updated: 2026-06-09T22:35:54.145Z

Reserved: 2026-05-27T17:49:08.204Z

Link: CVE-2026-9753

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-09T23:17:04.897

Modified: 2026-06-09T23:17:04.897

Link: CVE-2026-9753

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T00:30:17Z

Weaknesses