How is CVE-2026-9743 exploited?

Network reachability (required): The attacker must reach the MongoDB server over the network to issue aggregation and getMore commands. Authentication (required): Any low-privilege account that has permission to run aggregation pipelines is sufficient to trigger the crash. Victim interaction (not-required): No action from another user or operator is needed; the attacker issues the crafted sequence entirely on their own. Attack complexity (info): The exploit is reliable and condition-free; no race conditions, memory layout dependencies, or environmental factors need to align.

What is the impact of CVE-2026-9743?

The MongoDB server process crashes, making the database unavailable to all connected applications until the process is restarted. Any in-flight transactions or writes that had not yet been committed are lost at the moment of the crash. Repeated exploitation keeps the service in a crash-restart loop, effectively taking the database offline for the duration of the attack.

Back to search

HIGHCVE-2026-9743Published 2026-06-09Modified 2026-06-10CNA mongodb

CVE-2026-9743: Aggregation sub-pipeline null dereference may allow DoS via crafted getMore

In MongoDB Server 8.0, an aggregation stage can leave its _subPipeline field null during processing of certain pipelines. If a getMore is subsequently issued on the same cursor, the server may dereference this null sub-pipeline when reattaching to the operation context, accessing an invalid address and crashing the process. This issue allows an authenticated user who can run aggregation pipelines to cause a denial of service by issuing a specially crafted aggregation followed by getMore on affected versions.

CVSS v4.0: 7.1
Severity: HIGH
Fixed in: 8.0.24
Affected Products: 1

HarborGuard Analysis

Synopsis

A null pointer dereference in MongoDB Server 8.0 allows an authenticated user to crash the database process. The vulnerability is reachable over the network and requires only a low-privilege account; no special configuration is needed. An attacker crafts an aggregation pipeline that leaves an internal sub-pipeline field null, then issues a getMore on the resulting cursor, causing the server to dereference an invalid address and terminate. A patched-image rebuild at version 8.0.24 is available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment; the CVE is matched against customer images within minutes of ingestion from upstream MongoDB and NVD advisory feeds, covering both official MongoDB images and custom-built images that bundle the server binary. Any image running MongoDB Server 8.0.0 through 8.0.23 will surface as affected in registry and CI pipeline scans.

Available

Triage

HarborGuard scores this CVE at CVSS v4.0 7.1 (High) and is capable of weighting that score against each customer environment's compliance policy to prioritize findings appropriately. Triage results are routable to the relevant team inbox within each customer org based on image ownership and policy configuration.

Available

Patch

A patched-image rebuild at MongoDB Server 8.0.24 is available on HarborGuard for environments running an affected version. For customers who opt into auto-remediation, HarborGuard is capable of performing the rebuild, running a regression test suite, and opening a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The attacker must reach the MongoDB server over the network to issue aggregation and getMore commands.
AuthenticationRequired
Any low-privilege account that has permission to run aggregation pipelines is sufficient to trigger the crash.
Victim interactionNot required
No action from another user or operator is needed; the attacker issues the crafted sequence entirely on their own.
Attack complexityDetail
The exploit is reliable and condition-free; no race conditions, memory layout dependencies, or environmental factors need to align.

Blast Radius

The MongoDB server process crashes, making the database unavailable to all connected applications until the process is restarted.
Any in-flight transactions or writes that had not yet been committed are lost at the moment of the crash.
Repeated exploitation keeps the service in a crash-restart loop, effectively taking the database offline for the duration of the attack.

How HarborGuard Handles This

Available on HarborGuard: detection for this CVE is active for all images in customer registries and build pipelines, matched against the affected version range (8.0.0 to 8.0.23) on every ingest cycle. A patched-image rebuild targeting MongoDB Server 8.0.24 is available for environments running an affected version. Where compliance policy permits, auto-remediation customers receive a rebuilt image, a regression-test run, and a PR opened against affected workloads; for high-severity issues, the median time from CVE publication to merged patch PR is around 90 minutes in environments with auto-remediation enabled. Customers not yet on auto-remediation can action the finding manually from the triage queue, where the finding is surfaced with full CVSS context and affected image details.

See how HarborGuard automates this

Fix available

8.0.24

Affected packages

MongoDB / MongoDB server
< 8.0.24 (from 8.0.0)

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

References

jira.mongodb.org

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available