Query Sanitization Bypass in Mongoose by Automattic
CVE-2026-42334

7.5HIGH

Key Information:

Vendor: Automattic
Status: Mongoose
Vendor: CVE Published:; 14 May 2026

What is CVE-2026-42334?

A flaw in Mongoose, an object modeling tool for MongoDB, allows malicious actors to bypass the query sanitization mechanism when using the $nor operator. In Mongoose versions prior to 6.13.9, 7.8.9, 8.22.1, and 9.1.6, while the sanitizeFilter feature aims to neutralize query operators by wrapping them in $eq, the $nor operator was left unsanitized. This oversight enables attackers to inject harmful MongoDB operators like $ne, $gt, or $regex within a $nor clause without proper sanitization, posing serious security risks to applications utilizing the affected Mongoose versions.

Affected Version(s)

mongoose < 6.13.9 < 6.13.9

mongoose >= 7.0.0, <= 7.8.8 <= 7.0.0, 7.8.8

mongoose >= 8.0.0, <= 8.22.0 <= 8.0.0, 8.22.0

References

https://github.com/Automattic/mongoose/security/advisorie...

x_refsource_CONFIRM

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 14, 2026
Vulnerability Reserved
Apr 26, 2026

CVE-2026-42334 Data

JSON