Use-After-Free Vulnerability in MongoDB Server's JavaScript Engine
CVE-2026-11933
8.7HIGH
What is CVE-2026-11933?
A use-after-free vulnerability has been identified in the server-side JavaScript engine of MongoDB Server, which occurs when BSON documents are converted to JavaScript arrays. An authenticated user with read privileges can exploit this flaw by executing server-side JavaScript, potentially leading to unauthorized access to sensitive information from freed memory within the mongod process or causing a denial of service through unexpected server crashes.
Affected Version(s)
MongoDB 8.3.0 <= 8.3.3
MongoDB 8.2.0 <= 8.2.10
MongoDB 8.0.0 <= 8.0.25