CVE-2026-8063
Analyzed Analyzed - Analysis Complete

Denial of Service in MongoDB Server via Empty Pipeline

Vulnerability report for CVE-2026-8063, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-05-07

Last updated on: 2026-05-11

Assigner: MongoDB, Inc.

Description

An authenticated user can crash mongod when running $rankFusion or $scoreFusion with an empty pipeline on a view. When resolving a view, the server inspects the aggregation pipeline to determine whether it begins with an Atlas Search stage. For $rankFusion and $scoreFusion, this inspection reads the first element on each stage’s input pipeline array without first verifying that the array is non-empty. Supplying an empty pipeline causes a null pointer dereference and crashes the server. This issue affects MongoDB Server 8.2 versionsΒ prior to 8.2.7.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-05-07
Last Modified
2026-05-11
Generated
2026-07-06
AI Q&A
2026-05-07
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
mongodb mongodb From 8.2.0 (inc) to 8.2.7 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-476 The product dereferences a pointer that it expects to be valid but is NULL.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability occurs in MongoDB Server versions prior to 8.2.7, where an authenticated user can cause the mongod process to crash by running the $rankFusion or $scoreFusion aggregation stages with an empty pipeline on a view.

The root cause is that when resolving a view, the server checks the aggregation pipeline to see if it starts with an Atlas Search stage. For $rankFusion and $scoreFusion, the server reads the first element of each stage's input pipeline array without verifying if the array is empty. If the pipeline is empty, this leads to a null pointer dereference, which crashes the server.

Impact Analysis

The primary impact of this vulnerability is a denial of service (DoS) condition where the MongoDB server process (mongod) crashes unexpectedly.

An attacker with authenticated access can exploit this issue to disrupt database availability by causing the server to crash, potentially leading to downtime and service interruptions.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-8063. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart