CVE-2026-8063
Denial of Service in MongoDB Server via Empty Pipeline
Publication date: 2026-05-07
Last updated on: 2026-05-07
Assigner: MongoDB, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mongodb | mongodb_server | to 8.2.7 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-476 | The product dereferences a pointer that it expects to be valid but is NULL. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability occurs in MongoDB Server versions prior to 8.2.7, where an authenticated user can cause the mongod process to crash by running the $rankFusion or $scoreFusion aggregation stages with an empty pipeline on a view.
The root cause is that when resolving a view, the server checks the aggregation pipeline to see if it starts with an Atlas Search stage. For $rankFusion and $scoreFusion, the server reads the first element of each stage's input pipeline array without verifying if the array is empty. If the pipeline is empty, this leads to a null pointer dereference, which crashes the server.
How can this vulnerability impact me? :
The primary impact of this vulnerability is a denial of service (DoS) condition where the MongoDB server process (mongod) crashes unexpectedly.
An attacker with authenticated access can exploit this issue to disrupt database availability by causing the server to crash, potentially leading to downtime and service interruptions.