CVE-2026-9746: Server crashes in case of the use of exchange
When using $changestreams and $_requestReshardingResumeToken with the exchange option the server hits an invariant which causes the server to crash. There are no special privileges needed. The user must be logged in to issue the statement.
Metrics
- CVSS v4.0
- 7.1
- Severity
- HIGH
- Fixed in
- 7.0.35
- Affected Products
- 1
HarborGuard Analysis
Synopsis
A denial-of-service vulnerability affects MongoDB Server across the 7.0, 8.0, 8.2, and 8.3 release lines. An authenticated attacker can send a crafted query combining $changestreams and $_requestReshardingResumeToken with the exchange option, triggering an internal invariant violation that crashes the server process. Successful exploitation causes full service disruption for all clients connected to the affected instance. Patched-image rebuilds at versions 7.0.35, 8.0.24, 8.2.10, and 8.3.3 are available on HarborGuard for affected environments.
HarborGuard Coverage
Detection capability is available across every HarborGuard environment: CVE-2026-9746 is ingested from upstream advisory feeds within minutes of publication and matched against all container images in customer registries and CI/CD pipelines, including custom-built images that bundle MongoDB Server.
AvailableHarborGuard is capable of scoring this CVE at CVSS 7.1 (High) and weighting it against each environment's compliance policy to determine urgency; findings are routable to the appropriate team inbox within each customer organization based on configured ownership rules.
AvailablePatched-image rebuilds at MongoDB Server versions 7.0.35, 8.0.24, 8.2.10, and 8.3.3 are available on HarborGuard for any environment running an affected version. For customers who opt into auto-remediation, HarborGuard can trigger a rebuild, run regression tests, and open a PR against affected workloads automatically.
AvailableExploit Conditions
- Network reachabilityRequired
The attacker must be able to reach the MongoDB Server over the network to issue the malicious query.
- AuthenticationRequired
Any low-privilege authenticated account is sufficient; no elevated or administrative role is needed to issue the triggering statement.
- Victim interactionNot required
No victim interaction is needed; the attacker sends the query directly without requiring any other user to take action.
- Attack complexityDetail
Exploit is reliable and condition-free; no race condition, memory layout dependency, or special environmental configuration is required to trigger the crash.
Blast Radius
- Crashes the targeted MongoDB Server process, immediately dropping all active client connections.
- Causes full availability loss for every database and collection hosted on the affected instance until the process is restarted.
- Repeated triggering by the same or multiple authenticated accounts can prevent sustained recovery, creating a persistent denial-of-service condition.
How HarborGuard Handles This
Available on HarborGuard: images containing MongoDB Server versions in the affected ranges (7.0.0-7.0.34, 8.0.0-8.0.23, 8.2.0-8.2.9, 8.3.0-8.3.2) are flagged at High severity and surfaced in the affected environment's finding queue. Patched rebuilds targeting 7.0.35, 8.0.24, 8.2.10, or 8.3.3 (matching the version line in use) are available immediately. For customers with auto-remediation enabled, HarborGuard can rebuild the image, execute the configured regression suite, and open a PR against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes in environments with auto-remediation enabled. Where compliance policy does not permit auto-remediation, the finding is routed to the designated owner inbox with remediation version details attached for manual action.
Fix available
- MongoDB / MongoDB Server< 8.3.3 (from 8.3.0) · < 8.2.10 (from 8.2.0) · < 8.0.24 (from 8.0.0) · < 7.0.35 (from 7.0.0)
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N