CVE-2026-8336: DoS in MongoDB Server
Platform
mongodb
Component
mongodb-server
Fixed in
8.3.2
CVE-2026-8336 is a denial-of-service (DoS) vulnerability affecting MongoDB Server. An authenticated user can trigger a crash in the mongod process by exploiting improper access controls around the $_internalJsEmit function or through specific manipulation of the mapreduce command's map function when server-side JavaScript is used. This vulnerability impacts MongoDB Server versions 7.0.0 through 8.3.2 and has been resolved in version 8.3.2.
Impact and Attack Scenarios
The primary impact of CVE-2026-8336 is a denial-of-service. A successful exploit allows an authenticated user to crash the MongoDB server process, rendering it unavailable to all clients. This can lead to significant disruption of services relying on the database, potentially impacting critical business operations. The vulnerability stems from the ability to trigger unexpected behavior within the server-side JavaScript engine, specifically when using $where, $function, or the mapreduce reduce stage. An attacker could craft malicious JavaScript code to exploit this, leading to resource exhaustion or a fatal error within the mongod process. While the vulnerability requires authentication, the potential for widespread impact within an organization using MongoDB is significant, especially if user accounts with sufficient privileges are compromised.
Exploitation Context
CVE-2026-8336 was published on 2026-05-13. Its severity is rated as High with a CVSS score of 7.5. Currently, there are no publicly known proof-of-concept exploits. The EPSS score is pending evaluation. It is recommended to prioritize patching due to the potential for denial-of-service and the relatively straightforward nature of the exploit once a PoC is developed. Refer to the MongoDB security advisory for further details and specific recommendations.
Threat Intelligence
Exploit Status
CVSS Vector
What do these metrics mean?
- Attack Vector
- Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
- Attack Complexity
- High — requires a race condition, non-default configuration, or specific circumstances. Harder to exploit reliably.
- Privileges Required
- Low — any valid user account is sufficient. Basic authenticated access required.
- User Interaction
- None — attack is automatic and silent. Victim does nothing: no click, no file open.
- Scope
- Unchanged — impact is limited to the vulnerable component itself.
- Confidentiality
- High — complete confidentiality loss. Attacker can read all data: credentials, keys, personal data.
- Integrity
- High — attacker can write, modify, or delete any data: databases, config files, or code.
- Availability
- High — complete crash or resource exhaustion. Full denial of service.
Affected Software
Weakness Classification (CWE)
Timeline
- Published
Mitigation and Workarounds
The primary mitigation for CVE-2026-8336 is to upgrade MongoDB Server to version 8.3.2 or later. This version contains the necessary fixes to address the improper access control and prevent the crash condition. If immediate upgrading is not possible, consider limiting access to the $_internalJsEmit function and carefully reviewing the usage of mapreduce commands, particularly the map function, to ensure no malicious code is being executed. Implement strict input validation on any user-supplied data used within server-side JavaScript. While not a direct fix, consider implementing rate limiting on JavaScript execution to reduce the potential impact of a successful exploit. After upgrading, confirm the fix by attempting to trigger the vulnerable JavaScript execution path and verifying that the server remains stable.
How to fix
Actualice su instancia de MongoDB Server a la versión 7.0.34, 8.0.23, 8.2.9 o 8.3.2 o superior para mitigar la vulnerabilidad de denegación de servicio. La actualización corrige un error de uso después de liberar que puede ser explotado por usuarios autenticados para causar un fallo en el servidor. Consulte la documentación oficial de MongoDB para obtener instrucciones detalladas sobre cómo actualizar.
Frequently asked questions
What is CVE-2026-8336 in MongoDB Server?
It's a denial-of-service vulnerability in MongoDB Server allowing authenticated users to crash the server by exploiting JavaScript execution.
Am I affected by CVE-2026-8336 in MongoDB Server?
If you're running MongoDB Server versions 7.0.0 through 8.3.2, you are potentially affected by this vulnerability.
How do I fix CVE-2026-8336 in MongoDB Server?
Upgrade MongoDB Server to version 8.3.2 or later to resolve the vulnerability. Consider input validation as a temporary measure.
Is CVE-2026-8336 being actively exploited?
Currently, there are no publicly known exploits, but it's recommended to patch proactively.
Where can I find the official MongoDB Server advisory for CVE-2026-8336?
Refer to the official MongoDB security advisory for detailed information and mitigation guidance: [https://www.mongodb.com/docs/manual/security/advisories/](https://www.mongodb.com/docs/manual/security/advisories/)
Is your project affected?
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Try it now — no account
Upload any manifest (composer.lock, package-lock.json, WordPress plugin list…) or paste your component list. You get a vulnerability report instantly. Uploading a file is just the start: with an account you get continuous monitoring, Slack/email alerts, multi-project and white-label reports.
Drag & drop your dependency file
composer.lock, package-lock.json, requirements.txt, Gemfile.lock, pubspec.lock, Dockerfile...