MongoDB Server Crash via Metadata Interference

Publication date: 2026-06-09

Last updated on: 2026-06-15

Assigner: MongoDB, Inc.

Description

An authenticated user can cause a MongoDB server to crash or return incorrect results by creating documents that interfere with internal metadata processing during query execution. This stems from insufficient separation between user-controlled document fields and internal metadata in certain execution paths.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2026-06-09

Last Modified

2026-06-15

Generated

2026-06-30

AI Q&A

2026-06-10

EPSS Evaluated

2026-06-28

NVD

CVE-2026-9750

EUVD

EUVD-2026-35866

Affected Vendors & Products

Vendor	Product	Version / Range
mongodb	mongodb	From 7.0.0 (inc) to 7.0.35 (exc)
mongodb	mongodb	From 8.0.0 (inc) to 8.0.24 (exc)
mongodb	mongodb	From 8.2.0 (inc) to 8.2.10 (exc)
mongodb	mongodb	From 8.3.0 (inc) to 8.3.3 (exc)

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-617	The product contains an assert() or similar statement that can be triggered by an attacker, which leads to an application exit or other behavior that is more severe than necessary.

Attack-Flow Graph

Executive Summary

This vulnerability allows an authenticated user to cause a MongoDB server to crash or return incorrect results. It happens because the user can create documents that interfere with the server's internal metadata processing during query execution. The root cause is insufficient separation between user-controlled document fields and internal metadata in certain execution paths.

Impact Analysis

The impact of this vulnerability includes the potential for denial of service by crashing the MongoDB server and the risk of receiving incorrect query results. This can disrupt application availability and data integrity, potentially leading to operational issues.

Hi! I’m here to help you understand CVE-2026-9750. Ask me anything about the vulnerability, its impact, or mitigation strategies.

0/70