Denial of Service Vulnerability in MongoDB Server Affecting Multiple Versions
CVE-2026-8202

5.3MEDIUM

Key Information:

Vendor: Mongodb, Inc.
Status: Mongodb Server
Vendor: CVE Published:; 13 May 2026

🔔 Create Mongodb, Inc. Vulnerability Alert

What is CVE-2026-8202?

An authenticated user with aggregation permissions can exploit a weakness in the MongoDB Server’s aggregation operators, specifically $trim, $ltrim, and $rtrim, by using a densely populated character mask alongside a large input string. This results in excessive CPU utilization, effectively leading to a denial of service. The issue affects multiple MongoDB Server versions, necessitating prompt updates to mitigate potential service disruptions.

Affected Version(s)

MongoDB Server 7.0 < 7.0.34

MongoDB Server 8.0 < 8.0.23

MongoDB Server 8.2 < 8.2.9

References

https://jira.mongodb.org/browse/SERVER-120668

issue-tracking

CVSS V4

Score:

5.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 13, 2026
Vulnerability Reserved
May 8, 2026

CVE-2026-8202 Data

JSON