MongoDB Server Aggregation Vulnerability Affecting Various Deployments
CVE-2026-9747

7.1HIGH

Key Information:

Vendor

Mongodb

Vendor
CVE Published:
9 June 2026

What is CVE-2026-9747?

A vulnerability exists in MongoDB Server where the configuration options 'fromRouter:true' and 'runtimeConstants.userRoles' can lead to unexpected behavior that causes the MongoDB server to crash during aggregation operations. This could significantly disrupt database availability and service continuity for affected deployments. IT administrators and developers are urged to review their configurations and ensure they are updated to the latest version to mitigate potential risks.

Affected Version(s)

MongoDB Server 8.3.0 < 8.3.3

MongoDB Server 8.2.0 < 8.2.10

MongoDB Server 8.0.0 < 8.0.24

References

CVSS V4

Score:
7.1
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.