Null Pointer Dereference in MongoDB Server Due to Empty Pipeline in Aggregation Functions
CVE-2026-8063

7.1HIGH

Key Information:

Vendor: MongoDB
Status: Mongodb Server
Vendor: CVE Published:; 7 May 2026

What is CVE-2026-8063?

An authenticated user can trigger a server crash in MongoDB Server by executing $rankFusion or $scoreFusion with an empty aggregation pipeline. The server's failure occurs during the inspection of the aggregation pipeline when it attempts to access the first element of an input pipeline array without confirming that the array is non-empty. This flaw results in a null pointer dereference, leading to a crash. Affected versions include all MongoDB Server 8.2 versions prior to 8.2.7.

Affected Version(s)

MongoDB Server 8.2.0 < 8.2.7

References

https://jira.mongodb.org/browse/SERVER-121851

issue-tracking

CVSS V4

Score:

7.1

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 7, 2026
Vulnerability Reserved
May 7, 2026

Credit

Xint Code by Theori

CVE-2026-8063 Data

JSON