CVE-2026-9754
Description
Authenticated read-role users can read uninitialized stack memory using a crafted filemd5 command in MongoDB.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Authenticated read-role users can read uninitialized stack memory using a crafted filemd5 command in MongoDB.
Vulnerability
A vulnerability exists in MongoDB where an authenticated user with the read role can read limited amounts of uninitialized stack memory. This is achievable by issuing specially-crafted filemd5 commands. The vulnerability affects versions prior to 8.2.10, 8.3.0-rc4, and 9.0.0-rc0 [1].
Exploitation
An attacker must first gain authenticated access to the MongoDB instance with a read role. Once authenticated, the attacker can send a specially-crafted filemd5 command. This command triggers the vulnerability, allowing the attacker to read from uninitialized stack memory [1].
Impact
Successful exploitation allows an attacker to read limited amounts of uninitialized stack memory. This could potentially lead to the disclosure of sensitive information that may have been present in that memory at the time of the read operation, depending on the data's contents and the attacker's ability to interpret it [1].
Mitigation
This vulnerability has been fixed in MongoDB versions 8.2.10, 8.3.0-rc4, and 9.0.0-rc0. Users are advised to upgrade to one of these fixed versions or later. No workarounds are mentioned in the available references [1].
AI Insight generated on Jun 9, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
1News mentions
0No linked articles in our index yet.