{"document":{"category":"csaf_vex","csaf_version":"2.0","title":"CVE-2026-9746: Server crashes in case of the use of exchange","publisher":{"category":"vendor","name":"HarborGuard Database","namespace":"https://database.harborguard.co"},"tracking":{"id":"CVE-2026-9746","status":"final","version":"1","initial_release_date":"2026-06-09T22:02:12.772Z","current_release_date":"2026-06-10T13:22:35.792Z","revision_history":[{"date":"2026-06-09T22:02:12.772Z","number":"1","summary":"Initial machine-readable export from HarborGuard."}]},"distribution":{"tlp":{"label":"WHITE"},"text":"Public CVE data; freely redistributable."},"notes":[{"category":"description","text":"When using $changestreams and $_requestReshardingResumeToken with the exchange option the server hits an invariant which causes the server to crash. There are no special privileges needed. The user must be logged in to issue the statement.","title":"CVE description"}],"references":[{"category":"self","summary":"CVE-2026-9746 on HarborGuard Database","url":"https://database.harborguard.co/cve/CVE-2026-9746"},{"category":"external","summary":"CVE Record","url":"https://www.cve.org/CVERecord?id=CVE-2026-9746"},{"category":"external","summary":"jira.mongodb.org","url":"https://jira.mongodb.org/browse/SERVER-124190"}]},"product_tree":{"branches":[{"category":"vendor","name":"MongoDB","branches":[{"category":"product_name","name":"MongoDB Server","branches":[{"category":"product_version_range","name":">=8.3.0 <8.3.3","product":{"name":"MongoDB MongoDB Server >=8.3.0 <8.3.3","product_id":"CSAFPID-1","product_identification_helper":{"cpe":"cpe:2.3:a:mongodb:mongodb_server:*:*:*:*:*:*:*:*"}}},{"category":"product_version_range","name":">=8.2.0 <8.2.10","product":{"name":"MongoDB MongoDB Server >=8.2.0 <8.2.10","product_id":"CSAFPID-2","product_identification_helper":{"cpe":"cpe:2.3:a:mongodb:mongodb_server:*:*:*:*:*:*:*:*"}}},{"category":"product_version_range","name":">=8.0.0 <8.0.24","product":{"name":"MongoDB MongoDB Server >=8.0.0 <8.0.24","product_id":"CSAFPID-3","product_identification_helper":{"cpe":"cpe:2.3:a:mongodb:mongodb_server:*:*:*:*:*:*:*:*"}}},{"category":"product_version_range","name":">=7.0.0 <7.0.35","product":{"name":"MongoDB MongoDB Server >=7.0.0 <7.0.35","product_id":"CSAFPID-4","product_identification_helper":{"cpe":"cpe:2.3:a:mongodb:mongodb_server:*:*:*:*:*:*:*:*"}}}]}]}]},"vulnerabilities":[{"cve":"CVE-2026-9746","title":"Server crashes in case of the use of exchange","notes":[{"category":"description","text":"When using $changestreams and $_requestReshardingResumeToken with the exchange option the server hits an invariant which causes the server to crash. There are no special privileges needed. The user must be logged in to issue the statement.","title":"CVE description"}],"product_status":{"known_affected":["CSAFPID-1","CSAFPID-2","CSAFPID-3","CSAFPID-4"]},"scores":[{"cvss_v4":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N","baseScore":7.1,"baseSeverity":"HIGH"},"products":["CSAFPID-1","CSAFPID-2","CSAFPID-3","CSAFPID-4"]}],"remediations":[{"category":"vendor_fix","details":"Update to a fixed version: 7.0.35, 8.0.24, 8.2.10, 8.3.3.","product_ids":["CSAFPID-1","CSAFPID-2","CSAFPID-3","CSAFPID-4"]}]}]}