CVE-2026-8053: RCE in MongoDB Server 8.3
Platform
mongodb
Component
mongodb-server
Fixed in
8.3.2
CVE-2026-8053 is a critical Remote Code Execution (RCE) vulnerability discovered in MongoDB Server's time-series collection implementation. This flaw allows an authenticated user possessing database write privileges to trigger an out-of-bounds memory write within the mongod process, potentially leading to arbitrary code execution. The vulnerability impacts MongoDB Server versions 5.0.0 through 8.3.2 and has been resolved in version 8.3.2.
Impact and Attack Scenarios
The impact of CVE-2026-8053 is severe. A successful exploitation allows an attacker, already authenticated and possessing database write privileges, to execute arbitrary code on the MongoDB server. This could lead to complete system compromise, data exfiltration, and denial of service. The out-of-bounds memory write stems from an inconsistency in the internal field-name-to-index mapping within the time-series bucket catalog. Attackers could potentially leverage this to inject malicious code and gain persistent access to the database and underlying infrastructure. While requiring authentication, the ease of privilege escalation within many MongoDB deployments significantly broadens the attack surface.
Exploitation Context
CVE-2026-8053 was published on May 12, 2026. Its severity is rated HIGH (CVSS: 8.8). Public proof-of-concept (POC) code is currently unavailable, but the potential for RCE makes this a high-priority vulnerability. The vulnerability is not currently listed on KEV or EPSS, but the high CVSS score suggests a medium to high probability of exploitation if a POC is released. Monitor security advisories and threat intelligence feeds for updates.
Threat Intelligence
Exploit Status
CVSS Vector
What do these metrics mean?
- Attack Vector
- Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
- Attack Complexity
- Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
- Privileges Required
- Low — any valid user account is sufficient. Basic authenticated access required.
- User Interaction
- None — attack is automatic and silent. Victim does nothing: no click, no file open.
- Scope
- Unchanged — impact is limited to the vulnerable component itself.
- Confidentiality
- High — complete confidentiality loss. Attacker can read all data: credentials, keys, personal data.
- Integrity
- High — attacker can write, modify, or delete any data: databases, config files, or code.
- Availability
- High — complete crash or resource exhaustion. Full denial of service.
Affected Software
Weakness Classification (CWE)
Timeline
- Published
- Modified
Mitigation and Workarounds
The primary mitigation for CVE-2026-8053 is to upgrade MongoDB Server to version 8.3.2 or later. If immediate upgrading is not feasible, consider implementing stricter authentication and authorization controls to limit the number of users with database write privileges. Network segmentation can also help contain the blast radius of a potential breach. While a direct WAF rule is unlikely to be effective, monitoring database logs for unusual activity related to time-series collections could provide early warning signs. After upgrading, confirm the fix by attempting to trigger the vulnerable time-series collection operation and verifying that the memory write is prevented.
How to fix
Actualice su instancia de MongoDB Server a la versión 5.0.33 o superior, 6.0.28 o superior, 7.0.34 o superior, 8.0.23 o superior, 8.2.9 o superior o 8.3.2 o superior para mitigar la vulnerabilidad. La actualización corrige una inconsistencia en el mapeo de nombres de campos a índices dentro del catálogo de cubetas de series temporales, previniendo así la escritura fuera de límites de la memoria.
Frequently asked questions
What is CVE-2026-8053 — RCE in MongoDB Server 8.3?
CVE-2026-8053 is a critical Remote Code Execution vulnerability in MongoDB Server affecting versions 5.0.0–8.3.2. An authenticated user with write privileges can trigger an out-of-bounds memory write, potentially leading to arbitrary code execution.
Am I affected by CVE-2026-8053 in MongoDB Server 8.3?
You are affected if you are running MongoDB Server versions 5.0.0 through 8.3.2. Versions prior to 8.3.2 are vulnerable to this RCE flaw.
How do I fix CVE-2026-8053 in MongoDB Server 8.3?
Upgrade MongoDB Server to version 8.3.2 or later to resolve the vulnerability. If immediate upgrading is not possible, implement stricter authentication and authorization controls.
Is CVE-2026-8053 being actively exploited?
While no public exploits are currently known, the high severity of the vulnerability suggests a potential for exploitation. Monitor security advisories and threat intelligence feeds.
Where can I find the official MongoDB advisory for CVE-2026-8053?
Refer to the official MongoDB security advisory for CVE-2026-8053 on the MongoDB website. Check the MongoDB security announcements page for the latest information.
Is your project affected?
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Try it now — no account
Upload any manifest (composer.lock, package-lock.json, WordPress plugin list…) or paste your component list. You get a vulnerability report instantly. Uploading a file is just the start: with an account you get continuous monitoring, Slack/email alerts, multi-project and white-label reports.
Drag & drop your dependency file
composer.lock, package-lock.json, requirements.txt, Gemfile.lock, pubspec.lock, Dockerfile...