PT-2026-40350 · Mongodb · Ops Manager
Published
2026-05-12
·
Updated
2026-05-12
·
CVE-2026-8431
CVSS v3.1
7.2
High
| Vector | AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
MongoDB Ops Manager versions 7.0
MongoDB Ops Manager versions prior to 8.0.23
Description
An administrative user with permissions to configure webhooks can execute arbitrary commands. This is achieved by configuring and subsequently triggering webhooks that contain specific FreeMarker template syntax, a template engine used to generate text output based on data models.
Recommendations
Update MongoDB Ops Manager version 7.0 to a patched version.
Update MongoDB Ops Manager to version 8.0.23 or later.
Fix
Command Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Ops Manager