MongoDB: Nine Vulnerabilities Disclosed, Including Server Crashes and Data Exposure
Key findings • Nine MongoDB vulnerabilities disclosed on June 9, 2026, including High and Medium severity flaws. • Multiple aggregation pipeline stages are affected, leading to crashes and me…
Key findings
- Nine MongoDB vulnerabilities disclosed on June 9, 2026, including High and Medium severity flaws.
- Multiple aggregation pipeline stages are affected, leading to crashes and memory issues.
- Indexing and query processing flaws can cause server instability or incorrect results.
- Sensitive authentication data and passwords may be logged in plain text.
- A vulnerability exposes literal values for encrypted fields in $vectorSearch filters.
On June 9, 2026, MongoDB addressed a batch of nine vulnerabilities that collectively pose risks ranging from denial-of-service conditions to the exposure of sensitive authentication data. The disclosures, all published on the same day, highlight potential weaknesses in aggregation pipeline stages, indexing, and authentication mechanisms.
Several vulnerabilities center on the aggregation framework. CVE-2026-9753, rated High, allows any authenticated user to trigger a server crash or memory out-of-bounds error by using a malformed document within the $_internalApplyOplogUpdate aggregation pipeline stage. Similarly, CVE-2026-9749, a Medium severity issue, can lead to a server crash when an aggregation pipeline uses the $exchange stage with specific configurations, particularly when a single key range generates a large volume of documents. Another aggregation-related flaw, CVE-2026-9748, involves the $_internalConvertBucketIndexStats stage, which can cause a crash by misinterpreting a signal meant for internal buffer management.
Indexing and query processing also present risks. CVE-2026-9752, a Medium severity vulnerability, allows an authorized user to crash the server by querying with a 2dsphere index on a field containing a GeoJSON GeometryCollection with a Polygon and a strict-winding CRS. This occurs because the index guard does not properly inspect members of the collection. Furthermore, CVE-2026-9750, also Medium severity, enables an authenticated user to crash the server or receive incorrect results by crafting documents that interfere with internal metadata processing during query execution, stemming from insufficient separation between user-controlled fields and internal metadata.
Data exposure and authentication concerns are also present in this batch. CVE-2026-9751 and CVE-2026-9735, both rated Medium severity, relate to the logging of sensitive information. CVE-2026-9751 allows the ldapQueryPassword parameter to log passwords in plain text when set via the runtime setParameter command. CVE-2026-9735 can lead to authentication parameters, including credentials, being logged unredacted to the server log during SASL authentication when connection health metric logging is enabled.
Additionally, CVE-2026-9741, a Medium severity vulnerability, impacts query analysis for encrypted fields. When using the $vectorSearch aggregation stage with Queryable Encryption (QE) or Client-Side Field Level Encryption (CSFLE), literal values for encrypted fields within the filter expressions are sent to the server as plaintext instead of ciphertext. Finally, CVE-2026-9746, another Medium severity issue, can cause a server crash when using $changestreams in conjunction with $_requestReshardingResumeToken and the exchange option, hitting an invariant that leads to a crash.
These vulnerabilities affect various versions of MongoDB, and users are strongly advised to consult the official MongoDB security advisories for specific version information and recommended patching. The range of issues, from denial-of-service to potential data leakage, underscores the importance of maintaining up-to-date MongoDB deployments and carefully managing access controls.