Uninitialized Memory Exposure in MongoDB for Authenticated Users
CVE-2026-9754

7.1HIGH

Key Information:

Vendor

Mongodb

Status
Vendor
CVE Published:
9 June 2026

What is CVE-2026-9754?

An issue has been identified in MongoDB that allows an authenticated user with the read role to potentially access uninitialized portions of stack memory through crafted invocations of the 'filemd5' command. This could lead to unauthorized information disclosure, exposing sensitive data inadvertently stored in memory. Users should be aware of this vulnerability and apply necessary safeguards when using affected versions of MongoDB.

Affected Version(s)

MongoDB 8.3.0 < 8.3.3

MongoDB 8.2.0 < 8.2.10

References

CVSS V4

Score:
7.1
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.