CVE-2026-9750

Vulnerability

An authenticated user can cause a MongoDB server to crash or return incorrect results by creating documents that interfere with internal metadata processing during query execution. This stems from insufficient separation between user-controlled document fields and internal metadata in certain execution paths, specifically when DocumentStorage::loadLazyMetadata() unconditionally consumes $-prefixed BSON fields matching internal metadata names, even when the BSON comes from user data via constructs like $literal or $setField [1]. This affects versions prior to the fix.

Exploitation

An authenticated user can exploit this vulnerability by crafting documents with $-prefixed fields that match internal metadata names. These documents can be introduced through operations like $literal or $setField. The vulnerability is most visible during cross-shard aggregations where the merge step serializes user fields alongside actual metadata, leading to silent metadata corruption, type-mismatch errors, and occasional crashes [1].

Impact

Successful exploitation can lead to a denial-of-service condition, causing the MongoDB server to crash. Additionally, it can result in the server returning incorrect query results due to silent metadata corruption. The scope of the impact is limited to the data processed by the affected query or aggregation operation, and the attacker must be authenticated [1].

Mitigation

The vulnerability is fixed in MongoDB versions that include commits #51366, #51679, and #52144. These commits introduce guards in loadLazyMetadata(), strip metadata-colliding user fields during cross-shard merge serialization, and add logging for stripped fields. Operators can upgrade to a patched version for mitigation. No specific workaround is mentioned in the available references if an upgrade is not immediately possible [1].