Use-After-Free Vulnerability in MongoDB Server's JavaScript Engine
CVE-2026-11933

8.7HIGH

Key Information:

Vendor

Mongodb

Status
Vendor
CVE Published:
12 June 2026

What is CVE-2026-11933?

A use-after-free vulnerability has been identified in the server-side JavaScript engine of MongoDB Server, which occurs when BSON documents are converted to JavaScript arrays. An authenticated user with read privileges can exploit this flaw by executing server-side JavaScript, potentially leading to unauthorized access to sensitive information from freed memory within the mongod process or causing a denial of service through unexpected server crashes.

Affected Version(s)

MongoDB 8.3.0 <= 8.3.3

MongoDB 8.2.0 <= 8.2.10

MongoDB 8.0.0 <= 8.0.25

References

CVSS V4

Score:
8.7
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.