Vulnerability in MongoDB Server's BSON Validation Logic
CVE-2026-9740

8.7HIGH

Key Information:

Vendor

Mongodb

Vendor
CVE Published:
9 June 2026

What is CVE-2026-9740?

A vulnerability exists in MongoDB Server's BSON validation logic, which can be exploited by an unauthenticated user. By sending a specially crafted BSON message, an attacker can induce the mongod process to crash. This issue arises from the validator's mishandling of certain nested binary data structures, leading to uncontrolled mutual recursion among validation functions. Each re-entry into the validation process resets internal depth tracking, causing the server to become susceptible to crash scenarios.

Affected Version(s)

MongoDB Server 8.3.0 < 8.3.3

MongoDB Server 8.2.0 < 8.2.10

MongoDB Server 8.0.0 < 8.0.24

References

CVSS V4

Score:
8.7
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.