Use-After-Free Vulnerability in MongoDB for Sharded Clusters
CVE-2026-4148

8.7HIGH

Key Information:

Vendor: MongoDB
Status: Mongodb Server
Vendor: CVE Published:; 17 March 2026

What is CVE-2026-4148?

A use-after-free vulnerability found in MongoDB’s handling of sharded clusters allows an authenticated user with read permissions to exploit the system. By issuing a specially crafted $lookup or $graphLookup aggregation pipeline, an attacker can initiate this vulnerability, potentially leading to unpredictable behavior and unauthorized data access. Immediate attention is recommended to safeguard against potential exploitation.

Affected Version(s)

MongoDB Server 8.2 < 8.2.6

MongoDB Server 8.0 < 8.0.20

MongoDB Server 7.0 < 7.0.31

References

https://jira.mongodb.org/browse/SERVER-119319

CVSS V4

Score:

8.7

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 17, 2026
Vulnerability Reserved
Mar 13, 2026

CVE-2026-4148 Data

JSON