Do Son 
A fresh MongoDB Server vulnerability cluster has surfaced, and it puts widely used document databases at real risk. The vendor patched four distinct flaws. Together, they range from remote crashes to memory disclosure.
Memory Bugs Lead the Pack
The two most serious entries both score 8.7 on the CVSS scale. CVE-2026-11933 is a use-after-free bug in the server-side JavaScript engine. An authenticated user with read access can trigger it through $where or $function calls. As a result, the server may leak process memory or crash outright.
Meanwhile, CVE-2026-9740 is even easier to abuse. Because it lives in the BSON validation logic, an unauthenticated attacker can crash the mongod process with one crafted message. The flaw relies on uncontrolled recursion that quietly resets internal depth tracking.
Authenticated Crashes Round It Out
Two more issues, both rated 7.1, demand attention as well. CVE-2026-9750 lets an authenticated user corrupt internal metadata, which forces crashes or wrong query results. Similarly, CVE-2026-9743 abuses a null sub-pipeline during aggregation. Therefore, a crafted getMore call can knock the server offline.
This MongoDB Server vulnerability set spans many releases. Affected branches include the 7.0, 8.0, 8.2, and 8.3 trees, among others.
Patch Without Delay
Administrators should upgrade quickly, since one of the bugs needs no login at all. You can grab a current build straight from the MongoDB Community download page and move to a fixed release.
Fixed versions include 8.0.26, 8.2.11, and 8.3.4, plus several older maintenance updates. Patch testing should still happen first. However, the unauthenticated crash bug makes speed the priority here.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
