CVE-2026-9747

Vulnerability

A MongoDB server can crash if an authenticated client issues a malformed request that includes fromRouter:true and runtimeConstants.userRoles is not an array of objects. This vulnerability affects MongoDB versions that have not yet incorporated the fix for SERVER-123918 [1].

Exploitation

An attacker with authenticated client access can exploit this vulnerability by sending a specially crafted request to the MongoDB server. The request must contain fromRouter:true and provide a value for runtimeConstants.userRoles that is not an array of objects, such as a single object or a different data type [1].

Impact

Successful exploitation of this vulnerability can lead to a denial-of-service (DoS) condition, causing the MongoDB server to crash. This results in the unavailability of the database service for all users and applications connected to the affected instance [1].

Mitigation

The vulnerability has been fixed in MongoDB. The specific fixed version is not disclosed in the available references, but the issue is tracked as SERVER-123918 [1]. Users are advised to update to a patched version of MongoDB once it becomes available. No workarounds are mentioned in the available references.