CVE-2026-8843

Vulnerability

This vulnerability affects MongoDB Server versions 7.0 prior to 7.0.32, 8.0 prior to 8.0.21, and 8.2 prior to 8.2.6 [1]. An authorized user can create an invalid index by specifying the pseudo-index type "2dsphere_bucket" on a non-timeseries bucket collection, or the pseudo-index type "queryable_encrypted_range" on any collection. The index creation itself may succeed without error, but any subsequent insert of a document that triggers an update to the invalid index (e.g., db.coll.insert({control: {version: 2}, a: HexData(0, "00")})) will crash the server [1].

Exploitation

An attacker must have authenticated access to the database and the ability to run createIndex and insert commands. No special network position beyond normal database access is required. The attacker first runs a command such as db.coll.createIndex({a: "2dsphere_bucket"}) on a non-timeseries collection, or db.coll.createIndex({a: "queryable_encrypted_range"}). After the invalid index is created, the attacker inserts a document that forces the server to update that index, causing the crash [1].

Impact

Successful exploitation causes a denial-of-service condition by crashing the MongoDB server [1]. The attacker does not gain code execution or data access; the impact is limited to server availability. The crash occurs on the node handling the insert, potentially affecting the entire replica set or sharded cluster if the primary crashes.

Mitigation

MongoDB has fixed this issue in versions 7.0.32, 8.0.21, and 8.2.6 [1]. The fix adds validation at index creation time, rejecting these invalid index types before they can cause issues. Users should upgrade to the latest patched version in their respective release series. No workaround is available other than upgrading or restricting the createIndex privilege to trusted users. This vulnerability is not currently listed on the CISA Known Exploited Vulnerabilities (KEV) catalog.