Server Crash Vulnerability in MongoDB Affecting Users on Exchange Options
CVE-2026-9746

7.1HIGH

Key Information:

Vendor

Mongodb

Vendor
CVE Published:
9 June 2026

What is CVE-2026-9746?

A vulnerability in MongoDB allows an authenticated user to cause the server to crash when using specific commands involving $changestreams and $_requestReshardingResumeToken with the exchange option. This issue arises when the server encounters an invariant failure, leading to an unexpected shutdown. It requires no special privileges beyond being logged in, making it accessible for exploitation by regular users.

Affected Version(s)

MongoDB Server 8.3.0 < 8.3.3

MongoDB Server 8.2.0 < 8.2.10

MongoDB Server 8.0.0 < 8.0.24

References

CVSS V4

Score:
7.1
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

muhammaddaffa
.