HarborGuard / CVE
Back to search
CRITICALCVE-2026-8431Published Modified CNA mongodb

CVE-2026-8431: Ops Manager RCE via webhook body

An administrative user with access to configure webhooks can execute arbitrary commands by configuring and then triggering webhooks containing specific FreeMarker template syntax.  This issue affects all MongoDB Ops Manager 7.0 versions and MongoDB Ops Manager versions 8.0.22 and prior.

Metrics

CVSS v4.0
9.4
Severity
CRITICAL
Fixed in
8.0.23
Affected Products
1

Fix available

8.0.23
Affected packages
  • MongoDB, Inc. / Ops Manager
    < 8.0.23 (from 7.0)
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
References
CVE-2026-8431: Ops Manager RCE via webhook body | HarborGuard CVE