PT-2026-40527 · Mongodb · Mongodb Server+1
Published
2026-05-05
·
Updated
2026-05-31
·
CVE-2026-8053
CVSS v2.0
9.0
High
| Vector | AV:N/AC:L/Au:S/C:C/I:C/A:C |
Name of the Vulnerable Software and Affected Versions
MongoDB Server versions prior to 5.0.33
MongoDB Server versions prior to 6.0.28
MongoDB Server versions prior to 7.0.34
MongoDB Server versions prior to 8.0.23
MongoDB Server versions prior to 8.2.9
MongoDB Server versions prior to 8.3.2
Description
An inconsistency in the internal field-name-to-index mapping within the time-series bucket catalog allows an authenticated user with database write privileges to trigger an out-of-bounds memory write in the mongod process. This memory corruption can lead to arbitrary code execution on the database server, which is particularly critical in multi-tenant clusters.
Recommendations
Update versions prior to 5.0.33 to 5.0.33.
Update versions prior to 6.0.28 to 6.0.28.
Update versions prior to 7.0.34 to 7.0.34.
Update versions prior to 8.0.23 to 8.0.23.
Update versions prior to 8.2.9 to 8.2.9.
Update versions prior to 8.3.2 to 8.3.2.
Exploit
Fix
RCE
Memory Corruption
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Mongodb Server
Mongodb