MongoDB Server Crash via Invalid Changelog Stream Invariant

Publication date: 2026-06-09

Last updated on: 2026-06-18

Assigner: MongoDB, Inc.

Description

When using $changestreams and $_requestReshardingResumeToken with the exchange option the server hits an invariant which causes the server to crash. There are no special privileges needed. The user must be logged in to issue the statement.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2026-06-09

Last Modified

2026-06-18

Generated

2026-06-30

AI Q&A

2026-06-10

EPSS Evaluated

2026-06-28

NVD

CVE-2026-9746

EUVD

EUVD-2026-35862

Affected Vendors & Products

Vendor	Product	Version / Range
mongodb	mongodb	From 8.0.0 (inc) to 8.0.24 (exc)
mongodb	mongodb	From 8.2.0 (inc) to 8.2.10 (exc)
mongodb	mongodb	From 8.3.0 (inc) to 8.3.3 (exc)
mongodb	mongodb	From 7.0.0 (inc) to 7.0.35 (exc)

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-617	The product contains an assert() or similar statement that can be triggered by an attacker, which leads to an application exit or other behavior that is more severe than necessary.

Attack-Flow Graph

Executive Summary

This vulnerability occurs when using the $changestreams and $_requestReshardingResumeToken features with the exchange option in MongoDB. It causes the server to hit an invariant condition that leads to a server crash. No special privileges are required to trigger this issue, but the user must be logged in to issue the statement.

Impact Analysis

The primary impact of this vulnerability is that it can cause the MongoDB server to crash unexpectedly. This can lead to denial of service, disrupting database availability and potentially affecting applications relying on the database.

Hi! I’m here to help you understand CVE-2026-9746. Ask me anything about the vulnerability, its impact, or mitigation strategies.

0/70