CVE-2026-9746

Vulnerability

A server crash occurs in MongoDB when the $changestreams and $_requestReshardingResumeToken features are used with the exchange option. This happens because the server hits an invariant, leading to a crash. The vulnerability affects mongod instances that are communicated with by mongos instances, as certain code paths trust the contents of the exchange option as if it were from a validated source. External clients can exploit this by supplying unexpected exchange state [1].

Exploitation

An attacker must be logged in and authenticated to issue the statement that triggers the vulnerability. The attacker needs to send a request that utilizes $changestreams and $_requestReshardingResumeToken with the exchange option, providing unexpected exchange state to the mongod instance. No special privileges are needed beyond authentication [1].

Impact

Successful exploitation of this vulnerability causes the mongod server to crash, resulting in a denial-of-service for the affected MongoDB instance. The attacker gains no further privileges or access beyond causing the crash.

Mitigation

This vulnerability has been fixed. The issue is tracked under SERVER-124190 and is noted as resolved. Specific version information for the fix is not detailed in the available references, but the fix is considered fully compatible [1].