CVE-2026-9741

Vulnerability

A bug in the query analysis processing of the $vectorSearch aggregation stage for Queryable Encryption (QE) or Client-Side Field Level Encryption (CSFLE) causes literal values for encrypted fields within the $vectorSearch stage filter expressions to be sent to the server as plaintext instead of ciphertext. This affects MongoDB versions that support these encryption features and the $vectorSearch stage [1].

Exploitation

An attacker can exploit this vulnerability by constructing a query that uses the $vectorSearch aggregation stage with a prefilter that references an encrypted field. The query analysis code fails to replace encrypted predicates in the prefilter with encryption placeholders, leading to the sensitive data being leaked in the plaintext request [1].

Impact

Successful exploitation results in the disclosure of sensitive data. Specifically, literal values for encrypted fields used in $vectorSearch stage filter expressions are exposed as plaintext to the server, bypassing the intended encryption protection [1].

Mitigation

This issue is addressed in a patched version of MongoDB. The stage analyzer functor for $vectorSearch has been updated to analyze the filter and replace encrypted field references with encryption placeholders. Specific patched versions and release dates are not yet publicly disclosed, but the fix is available internally [1].