CVE-2026-8063
Analyzed Analyzed - Analysis Complete
Denial of Service in MongoDB Server via Empty Pipeline

Publication date: 2026-05-07

Last updated on: 2026-05-11

Assigner: MongoDB, Inc.

Description
An authenticated user can crash mongod when running $rankFusion or $scoreFusion with an empty pipeline on a view. When resolving a view, the server inspects the aggregation pipeline to determine whether it begins with an Atlas Search stage. For $rankFusion and $scoreFusion, this inspection reads the first element on each stage’s input pipeline array without first verifying that the array is non-empty. Supplying an empty pipeline causes a null pointer dereference and crashes the server. This issue affects MongoDB Server 8.2 versionsΒ prior to 8.2.7.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-07
Last Modified
2026-05-11
Generated
2026-06-16
AI Q&A
2026-05-07
EPSS Evaluated
2026-06-15
NVD
CVE-2026-8063
EUVD
EUVD-2026-28326
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
mongodb mongodb From 8.2.0 (inc) to 8.2.7 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-476 The product dereferences a pointer that it expects to be valid but is NULL.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability occurs in MongoDB Server versions prior to 8.2.7, where an authenticated user can cause the mongod process to crash by running the $rankFusion or $scoreFusion aggregation stages with an empty pipeline on a view.

The root cause is that when resolving a view, the server checks the aggregation pipeline to see if it starts with an Atlas Search stage. For $rankFusion and $scoreFusion, the server reads the first element of each stage's input pipeline array without verifying if the array is empty. If the pipeline is empty, this leads to a null pointer dereference, which crashes the server.

Impact Analysis

The primary impact of this vulnerability is a denial of service (DoS) condition where the MongoDB server process (mongod) crashes unexpectedly.

An attacker with authenticated access can exploit this issue to disrupt database availability by causing the server to crash, potentially leading to downtime and service interruptions.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-8063. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart