High severity8.8NVD Advisory· Published Mar 17, 2026· Updated Apr 10, 2026
CVE-2026-4148
CVE-2026-4148
Description
A use-after-free vulnerability can be triggered in sharded clusters by an authenticated user with the read role who issues a specially crafted $lookup or $graphLookup aggregation pipeline.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
8cpe:2.3:a:mongodb:mongodb:*:*:*:*:-:*:*:*+ 6 more
- cpe:2.3:a:mongodb:mongodb:*:*:*:*:-:*:*:*range: >=7.0.0,<7.0.31
- cpe:2.3:a:mongodb:mongodb:8.3.0:alpha0:*:*:-:*:*:*
- cpe:2.3:a:mongodb:mongodb:8.3.0:alpha1:*:*:-:*:*:*
- cpe:2.3:a:mongodb:mongodb:8.3.0:alpha2:*:*:-:*:*:*
- cpe:2.3:a:mongodb:mongodb:8.3.0:alpha3:*:*:-:*:*:*
- cpe:2.3:a:mongodb:mongodb:8.3.0:rc1:*:*:-:*:*:*
- (no CPE)
Patches
Vulnerability mechanics
References
1- jira.mongodb.org/browse/SERVER-119319nvdPatchVendor Advisory
News mentions
0No linked articles in our index yet.