High severity7.5NVD Advisory· Published May 13, 2026· Updated May 18, 2026
CVE-2026-8336
CVE-2026-8336
Description
After invoking $_internalJsEmit, which is not intended to be directly accessible, or mapreduce command’s map function in a certain way, an authenticated user can subsequently crash mongod when the server-side JavaScript engine (through $where, $function, mapreduce reduce stage, etc.) is used also in a specific way, resulting in a post-authentication denial-of-service.
This issue impacts MongoDB Server v8.2 versions prior to 8.2.9 and v8.3 versions prior to 8.3.2.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
3Patches
Vulnerability mechanics
References
1- jira.mongodb.org/browse/SERVER-121610nvdIssue TrackingVendor Advisory
News mentions
0No linked articles in our index yet.