Query Processing Flaw in MongoDB's Queryable Encryption Feature
CVE-2026-9741
7.1HIGH
What is CVE-2026-9741?
A vulnerability exists in MongoDB's Queryable Encryption where a flaw in the query analysis processing allows for encrypted field values to be transmitted to the server in plaintext. This occurs specifically during the $vectorSearch aggregation stage, where literal values are improperly handled within filter expressions. As a result, sensitive information may inadvertently be revealed to unauthorized parties, posing a significant risk to data security. Users are advised to review their implementations of the affected MongoDB versions to mitigate potential exposure.
Affected Version(s)
MongoDB Server 8.3.0 < 8.3.3
MongoDB Server 8.2.0 < 8.2.10
MongoDB Server 8.0.0 < 8.0.24