Memory Usage Vulnerability in MongoDB Server by MongoDB
CVE-2026-8199

7.1HIGH

Key Information:

Vendor: Mongodb, Inc.
Status: Mongodb Server
Vendor: CVE Published:; 13 May 2026

🔔 Create Mongodb, Inc. Vulnerability Alert

What is CVE-2026-8199?

An authenticated user can exploit a vulnerability within MongoDB Server by triggering excessive memory usage through the processing of bitwise match expression abstract syntax trees. Specifically, variables such as $bitsAllSet, $bitsAnySet, $bitsAllClear, and $bitsAnyClear can lead to significant memory pressure, ultimately risking availability due to out-of-memory (OOM) conditions. This could potentially disrupt service and affect overall application stability for systems using the impacted versions.

Affected Version(s)

MongoDB Server 7.0 < 7.0.34

MongoDB Server 8.0 < 8.0.23

MongoDB Server 8.2 < 8.2.9

References

https://jira.mongodb.org/browse/SERVER-122449

issue-tracking

CVSS V4

Score:

7.1

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 13, 2026
Vulnerability Reserved
May 8, 2026

CVE-2026-8199 Data

JSON