HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-11933Published Modified CNA mongodb

CVE-2026-11933: Post-authentication use-after-free in server-side JavaScript BSON-to-array conversion

A use-after-free vulnerability exists in MongoDB Server's server-side JavaScript engine when converting BSON documents to JavaScript arrays. An authenticated user with read privileges who is able to run server-side JavaScript (for example, via $where or $function) can cause the server to access memory that has already been freed. This may result in disclosure of information from the mongod process memory or a denial of service through a server crash.

Metrics

CVSS v4.0
8.7
Severity
HIGH
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A use-after-free vulnerability exists in MongoDB Server's server-side JavaScript engine during BSON-to-array conversion. It is reachable over the network by any authenticated user with read privileges who can execute server-side JavaScript, for example via $where or $function query operators. Successful exploitation gives the attacker access to memory from the mongod process, enabling sensitive data disclosure or a server crash. No fix version has been published yet; HarborGuard tracks the advisory and will surface a patched-image rebuild the moment upstream ships one.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built MongoDB images in private registries and CI pipelines. Any image running an affected MongoDB version (up to and including 8.3.3, 8.2.10, 8.0.25, or 7.0.36) is flagged automatically.

Available
Triage

HarborGuard scores this finding at CVSS v4.0 8.7 (HIGH) and weights it against each customer organization's per-environment compliance policy to determine urgency and routing. Findings are delivered to the appropriate team inbox within each customer org based on ownership rules configured in their HarborGuard workspace.

Available
Patch

Because no upstream fix version has been published, HarborGuard re-evaluates this advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment MongoDB releases a remediated version. For customers with auto-remediation enabled, a rebuilt image, regression-test run, and a PR opened against affected workloads will follow without manual intervention once that fix is available.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The vulnerable code path is exposed over the network; an attacker must be able to reach the mongod service to send crafted JavaScript queries.

  • AuthenticationRequired

    A valid database account with at least read privileges is needed; any low-privilege credential that permits server-side JavaScript execution (for example, via $where or $function) is sufficient.

  • Victim interactionNot required

    No action by another user or administrator is required; the attacker triggers the vulnerability entirely through their own requests.

  • Attack complexityDetail

    Attack complexity is low, meaning the exploit is reliable and requires no special environmental conditions, race wins, or memory-layout prerequisites.

Blast Radius

  • Reads arbitrary bytes from the mongod process memory, potentially exposing stored credentials, session tokens, or customer records held in working memory.
  • Crashes the mongod server process, causing a denial of service for all clients dependent on that instance.
  • Impacts confidentiality and integrity of data accessible within the mongod process boundary, as reflected by high VC and VI scores in the CVSS v4.0 vector.
  • Blast radius is contained to the affected mongod instance; the CVSS vector records no impact on systems outside the immediate scope (SC:N, SI:N, SA:N).

How HarborGuard Handles This

Available on HarborGuard: because no upstream patch exists for CVE-2026-11933 at this time, the platform monitors the MongoDB advisory on every ingest cycle and will automatically trigger a patched-image rebuild as soon as a fix version is published. For customers with auto-remediation enabled, that rebuild will be followed immediately by a regression-test run and a PR opened against affected workloads, with no manual steps required. In the interim, HarborGuard surfaces this finding as HIGH severity so teams can apply compensating controls: restricting network policy to limit which clients can reach mongod, disabling server-side JavaScript execution at the MongoDB configuration level (security.javascriptEnabled: false) where application logic permits, and applying egress filtering to reduce the exposure surface of the database tier. The advisory and any vendor updates are re-evaluated each ingest cycle so customers receive notification without delay when a fix becomes available.

See how HarborGuard automates this
Affected packages
  • MongoDB / MongoDB
    ≤ 8.3.3 · ≤ 8.2.10 · ≤ 8.0.25 · ≤ 7.0.36 · ≤ 6.0.28 · ≤ 5.0.33
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
References