CVE-2026-8201 describes a use-after-free vulnerability in MongoDB Server's Field-Level Encryption (FLE) query analysis component, specifically affecting client-side uses of mongocryptd and crypt_shared. Triggering this vulnerability requires control over the structure of a client's FLE-related query. This vulnerability affects MongoDB Server versions 7.0.0 through 8.3.2 and has been resolved in version 8.3.2.
影响与攻击场景
The impact of CVE-2026-8201 is significant due to the potential for arbitrary code execution. A use-after-free vulnerability allows an attacker to manipulate memory after it has been freed, potentially leading to the execution of malicious code. In this case, an attacker with control over the structure of a client's FLE-related query can trigger this condition. The attacker could then potentially gain control of the MongoDB server and exfiltrate sensitive data or modify database contents. The blast radius is dependent on the privileges of the affected user and the extent of the attacker's control over the query. This vulnerability shares similarities with other use-after-free vulnerabilities where memory corruption leads to code execution.
利用背景
CVE-2026-8201 was published on 2026-05-13. The exploitability is considered medium, as it requires control over the structure of a client's FLE-related query. Currently, no public Proof-of-Concept (POC) exploits are publicly available. The EPSS score is likely to be medium, reflecting the potential for arbitrary code execution and the requirement for specific query manipulation. Refer to the MongoDB security advisory for further details.
威胁情报
漏洞利用状态
CVSS 向量
这些指标意味着什么?
- Attack Vector
- 网络 — 可通过互联网远程利用,无需物理或本地访问。攻击面最大。
- Attack Complexity
- 高 — 需要竞态条件、非默认配置或特定情况。难以可靠利用。
- Privileges Required
- 低 — 任何有效用户账户均可。
- User Interaction
- 无 — 攻击自动且无声,受害者无需任何操作。
- Scope
- 未改变 — 影响仅限于脆弱组件本身。
- Confidentiality
- 低 — 可访问部分数据。
- Integrity
- 低 — 攻击者可修改部分数据,影响有限。
- Availability
- 高 — 完全崩溃或资源耗尽,完全拒绝服务。
受影响的软件
弱点分类 (CWE)
时间线
- 发布日期
缓解措施和替代方案
The primary mitigation for CVE-2026-8201 is upgrading to MongoDB Server version 8.3.2 or later. As a temporary workaround, restrict access to FLE functionality to trusted clients only. Implement input validation and sanitization to prevent malicious query structures. Monitor MongoDB logs for unusual activity related to FLE queries. Consider using a Web Application Firewall (WAF) to filter potentially malicious requests, although this may not be effective against authenticated users. After upgrading, verify that FLE functionality is working correctly and that the use-after-free condition is no longer present.
修复方法翻译中…
Actualice su instancia de MongoDB Server a la versión 7.0.34, 8.0.23, 8.2.9 o 8.3.2 o superior para mitigar esta vulnerabilidad de uso después de liberar. Asegúrese de revisar las notas de la versión para cualquier cambio de compatibilidad antes de actualizar. La actualización corrige el problema en el componente mongocryptd.
常见问题
什么是CVE-2026-8201?
CVE-2026-8201是MongoDB Server的FLE组件中的一个漏洞,允许使用释放后漏洞,可能导致任意代码执行。
我是否会受到影响?
如果您的MongoDB Server版本在7.0.0到8.3.2之间,并且启用了FLE功能,则可能受到影响。请立即升级到8.3.2或更高版本。
如何修复?
升级到MongoDB Server 8.3.2或更高版本是修复此漏洞的主要方法。
此漏洞是否正在被利用?
目前没有公开的POC,但建议密切监控。
在哪里可以了解更多信息?
请参阅MongoDB的安全公告和NVD数据库以获取更多详细信息。
立即试用 — 无需账户
上传任何清单文件 (composer.lock, package-lock.json, WordPress 插件列表…) 或粘贴您的组件列表。您立即获得一份漏洞报告。上传文件只是开始:拥有账户后,您将获得持续监控、Slack/电子邮件警报、多项目和白标报告。
拖放您的依赖文件
composer.lock、package-lock.json、requirements.txt、Gemfile.lock、pubspec.lock、Dockerfile...