VYPR
High severity8.8NVD Advisory· Published Mar 17, 2026· Updated Apr 10, 2026

CVE-2026-4148

CVE-2026-4148

Description

A use-after-free vulnerability can be triggered in sharded clusters by an authenticated user with the read role who issues a specially crafted $lookup or $graphLookup aggregation pipeline.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

8
  • MongoDB/MongoDB7 versions
    cpe:2.3:a:mongodb:mongodb:*:*:*:*:-:*:*:*+ 6 more
    • cpe:2.3:a:mongodb:mongodb:*:*:*:*:-:*:*:*range: >=7.0.0,<7.0.31
    • cpe:2.3:a:mongodb:mongodb:8.3.0:alpha0:*:*:-:*:*:*
    • cpe:2.3:a:mongodb:mongodb:8.3.0:alpha1:*:*:-:*:*:*
    • cpe:2.3:a:mongodb:mongodb:8.3.0:alpha2:*:*:-:*:*:*
    • cpe:2.3:a:mongodb:mongodb:8.3.0:alpha3:*:*:-:*:*:*
    • cpe:2.3:a:mongodb:mongodb:8.3.0:rc1:*:*:-:*:*:*
    • (no CPE)
  • osv-coords
    Range: >= 7.0.0, < 7.0.31

Patches

Vulnerability mechanics

References

1

News mentions

0

No linked articles in our index yet.