CVE-2026-8063

Name of the Vulnerable Software and Affected Versions MongoDB Server versions prior to 8.2.7

Description An authenticated user can cause a denial of service by crashing the mongod process. This occurs when running $rankFusion or $scoreFusion with an empty pipeline on a view. During view resolution, the server inspects the aggregation pipeline to identify if it starts with an Atlas Search stage; however, for $rankFusion and $scoreFusion, the server reads the first element of each stage's input pipeline array without verifying that the array contains data. Providing an empty pipeline leads to a null pointer dereference, which crashes the server.

Recommendations Update MongoDB Server to version 8.2.7 or later.