High severity8.8NVD Advisory· Published Mar 17, 2026· Updated Apr 10, 2026
CVE-2026-4148
CVE-2026-4148
Description
A use-after-free vulnerability can be triggered in sharded clusters by an authenticated user with the read role who issues a specially crafted $lookup or $graphLookup aggregation pipeline.
Affected products
6cpe:2.3:a:mongodb:mongodb:*:*:*:*:-:*:*:*+ 5 more
- cpe:2.3:a:mongodb:mongodb:*:*:*:*:-:*:*:*range: >=7.0.0,<7.0.31
- cpe:2.3:a:mongodb:mongodb:8.3.0:alpha0:*:*:-:*:*:*
- cpe:2.3:a:mongodb:mongodb:8.3.0:alpha1:*:*:-:*:*:*
- cpe:2.3:a:mongodb:mongodb:8.3.0:alpha2:*:*:-:*:*:*
- cpe:2.3:a:mongodb:mongodb:8.3.0:alpha3:*:*:-:*:*:*
- cpe:2.3:a:mongodb:mongodb:8.3.0:rc1:*:*:-:*:*:*
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1- jira.mongodb.org/browse/SERVER-119319nvdPatchVendor Advisory
News mentions
4- Worm rubs out competitor's malware, then takes controlThe Register Security · May 8, 2026
- The Good, the Bad and the Ugly in Cybersecurity – Week 19SentinelOne Labs · May 8, 2026
- VECT: Ransomware by design, Wiper by accidentCheck Point Research · Apr 28, 2026
- Ongoing supply-chain attack 'explicitly targeting' security, dev toolsThe Register Security · Apr 27, 2026