Denial-of-Service Vulnerability in MongoDB Server Products
CVE-2026-8336

7.7HIGH

Key Information:

Vendor: Mongodb, Inc.
Status: Mongodb Server
Vendor: CVE Published:; 13 May 2026

🔔 Create Mongodb, Inc. Vulnerability Alert

What is CVE-2026-8336?

A vulnerability in MongoDB Server allows an authenticated user to trigger a denial-of-service condition. This occurs when the user executes certain internal JavaScript commands or utilizes the map function in a specific manner. When combined with features such as $where or $function, the server-side JavaScript engine may become unresponsive, leading to a crash of the backend services. This impacts various versions of MongoDB Server, necessitating prompt updates to mitigate potential exploitation.

Affected Version(s)

MongoDB Server 8.2 < 8.2.9

MongoDB Server 8.3 < 8.3.2

References

https://jira.mongodb.org/browse/SERVER-121610

issue-tracking

CVSS V4

Score:

7.7

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 13, 2026
Vulnerability Reserved
May 11, 2026

CVE-2026-8336 Data

JSON