CVE-2026-9749

Vulnerability

A bug in MongoDB's aggregation pipeline, specifically within the internal $exchange stage when configured with key-range partitioning and order-preserving delivery, can occur. If a single key range generates a large number of documents that fill its exchange buffer, the server fails to update the internal "high watermark" for that key range, leading to a detected full per-consumer buffer.

Exploitation

An attacker would need to trigger an aggregation pipeline using the $exchange stage with key-range partitioning and order-preserving delivery. The attacker must then provide input that causes a single key range to produce enough documents to fill its exchange buffer, thereby reaching the vulnerable code path.

Impact

When the vulnerable code path is reached, the server may experience instability or a denial of service. The exact impact is not fully detailed in the available references, but it relates to the internal handling of buffer states within the aggregation pipeline.

Mitigation

This issue has been fixed. The reference indicates that the resolution is "Fixed" with no specific version mentioned, but it is associated with a Jira ticket for MongoDB server development [1]. No specific workaround is provided, and the vulnerability is not listed as part of the KEV catalog.