CVE-2026-9746
Received Received - Intake
MongoDB Server Crash via Invalid Changelog Stream Invariant

Publication date: 2026-06-09

Last updated on: 2026-06-09

Assigner: MongoDB, Inc.

Description
When using $changestreams and $_requestReshardingResumeToken with the exchange option the server hits an invariant which causes the server to crash. There are no special privileges needed. The user must be logged in to issue the statement.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-09
Last Modified
2026-06-09
Generated
2026-06-10
AI Q&A
2026-06-10
EPSS Evaluated
N/A
NVD
CVE-2026-9746
EUVD
EUVD-2026-35862
Affected Vendors & Products
Currently, no data is known.
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-617 The product contains an assert() or similar statement that can be triggered by an attacker, which leads to an application exit or other behavior that is more severe than necessary.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability occurs when using the $changestreams and $_requestReshardingResumeToken features with the exchange option in MongoDB. It causes the server to hit an invariant condition that leads to a server crash. No special privileges are required to trigger this issue, but the user must be logged in to issue the statement.

Impact Analysis

The primary impact of this vulnerability is that it can cause the MongoDB server to crash unexpectedly. This can lead to denial of service, disrupting database availability and potentially affecting applications relying on the database.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-9746. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart