Description
The $_internalApplyOplogUpdate aggregation pipeline stage can be used to execute a document diff containing a malformed binary diff to return memory out-of-bounds or crash the server. $_internalApplyOplogUpdate can be executed by any authenticated user with access to the aggregate command.
Published: 2026-06-09
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The $_internalApplyOplogUpdate aggregation pipeline stage can process a document diff that includes a malformed binary diff, leading to out‑of‑bounds memory access or a server crash. This can cause a denial of service by taking the MongoDB Server down. The weakness is a memory corruption flaw (CWE‑1287).

Affected Systems

The vulnerability affects MongoDB Server. No specific version information is provided, so all installations of the product may be vulnerable until a patch is released.

Risk and Exploitability

The CVSS score of 7.2 indicates a high severity, and the EPSS score is not available, so the current exploitation probability is unknown. The vulnerability is not listed in CISA KEV. Attackers need to be authenticated and possess permission to run aggregate commands, which limits the threat surface to privileged users. If those privileges are abused, the impact is a service disruption.

Generated by OpenCVE AI on June 10, 2026 at 00:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest MongoDB Server update once vendor releases a fix for the $_internalApplyOplogUpdate issue.
  • Restrict access to the aggregate command to the minimum set of users who truly need it, using role‑based access control.
  • Enable audit logging for aggregate commands and regularly review logs for anomalous activity.

Generated by OpenCVE AI on June 10, 2026 at 00:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 10 Jun 2026 02:45:00 +0000

Type Values Removed Values Added
First Time appeared Mongodb
Mongodb mongodb Server
Vendors & Products Mongodb
Mongodb mongodb Server

Tue, 09 Jun 2026 23:00:00 +0000

Type Values Removed Values Added
Description The $_internalApplyOplogUpdate aggregation pipeline stage can be used to execute a document diff containing a malformed binary diff to return memory out-of-bounds or crash the server. $_internalApplyOplogUpdate can be executed by any authenticated user with access to the aggregate command.
Title Server crash via malformed binary diff passed to $_internalApplyOplogUpdate.
Weaknesses CWE-1287
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H'}

cvssV4_0

{'score': 7.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Mongodb Mongodb Server
cve-icon MITRE

Status: PUBLISHED

Assigner: mongodb

Published:

Updated: 2026-06-10T18:54:01.733Z

Reserved: 2026-05-27T17:49:08.204Z

Link: CVE-2026-9753

cve-icon Vulnrichment

Updated: 2026-06-10T18:53:56.668Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-09T23:17:04.897

Modified: 2026-06-10T19:43:28.857

Link: CVE-2026-9753

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T02:30:05Z

Weaknesses
  • CWE-1287

    Improper Validation of Specified Type of Input