Use-after-free Vulnerability in MongoDB Field-Level Encryption Affects Multiple Versions
CVE-2026-8201

6.1MEDIUM

Key Information:

Vendor: Mongodb, Inc.
Status: Mongodb Server
Vendor: CVE Published:; 13 May 2026

🔔 Create Mongodb, Inc. Vulnerability Alert

What is CVE-2026-8201?

A use-after-free vulnerability has been identified in the Field-Level Encryption (FLE) query analysis component of MongoDB. The issue specifically affects client-side implementations of the mongocryptd and crypt_shared components, enabling attackers with control over the structure of FLE-related queries to exploit this flaw. This vulnerability can affect several versions of MongoDB Server, emphasizing the need for users to review and update their installations to mitigate potential security risks.

Affected Version(s)

MongoDB Server 7.0 < 7.0.34

MongoDB Server 8.0 < 8.0.23

MongoDB Server 8.2 < 8.2.9

References

https://jira.mongodb.org/browse/SERVER-122032

issue-tracking

CVSS V4

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 13, 2026
Vulnerability Reserved
May 8, 2026

CVE-2026-8201 Data

JSON