CVE-2026-9747: Crafted cross-shard merge aggregation crashes MongoDB Server
Adding fromRouter:true and runtimeConstants.userRoles could cause aggregations to crash mongodb server.
Metrics
- CVSS v4.0
- 7.1
- Severity
- HIGH
- Fixed in
- 7.0.35
- Affected Products
- 1
HarborGuard Analysis
Synopsis
A denial-of-service vulnerability affects MongoDB Server across versions 7.0.x, 8.0.x, 8.2.x, and 8.3.x. An authenticated attacker reachable over the network can craft an aggregation pipeline using the fromRouter:true flag combined with runtimeConstants.userRoles, triggering a server crash. Successful exploitation disrupts MongoDB availability for all workloads sharing the affected instance. Patched-image rebuilds at versions 7.0.35, 8.0.24, 8.2.10, and 8.3.3 are available on HarborGuard for environments running an affected version.
HarborGuard Coverage
Detection capability for CVE-2026-9747 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from upstream feeds, including custom-built images that bundle MongoDB Server. Coverage extends to all four affected version ranges across the 7.0, 8.0, 8.2, and 8.3 release lines.
AvailableHarborGuard is capable of scoring this CVE at CVSS 7.1 (HIGH, CVSS v4.0) and weighting results against each environment's compliance policy to reflect local risk tolerance. Triage findings are routable to the appropriate team inbox within each customer organization based on configured ownership rules.
AvailablePatched-image rebuilds at MongoDB Server versions 7.0.35, 8.0.24, 8.2.10, and 8.3.3 are available on HarborGuard for any environment found running an affected version. For customers who opt into auto-remediation, HarborGuard can trigger a rebuild, run regression tests, and open a pull request against affected workloads automatically.
AvailableExploit Conditions
- Network reachabilityRequired
The attacker must be able to reach the MongoDB Server over the network to submit the malicious aggregation pipeline.
- AuthenticationRequired
A low-privilege account is sufficient; any valid MongoDB user able to run aggregation queries can trigger the crash.
- Victim interactionNot required
No user interaction is needed; the attacker sends the crafted request directly to the server.
- Attack complexityDetail
Exploit conditions are straightforward and reliable, with no race conditions or special environmental configuration required.
Blast Radius
- Crashes the targeted MongoDB Server process, making all databases on that instance unavailable until the service is restarted.
- Disrupts every application or service connected to the affected MongoDB instance, including reads, writes, and background operations.
- Repeated crashes can prevent normal operator recovery and extend downtime beyond a single restart cycle.
How HarborGuard Handles This
Available on HarborGuard: detection for CVE-2026-9747 activates as soon as the CVE is ingested, matching against all scanned images that bundle an affected MongoDB Server version across the 7.0, 8.0, 8.2, and 8.3 lines. Rebuilt images at the fix versions (7.0.35, 8.0.24, 8.2.10, 8.3.3) are available for affected environments. For customers who opt into auto-remediation, HarborGuard can execute the full rebuild-and-PR flow; for HIGH-severity issues, median time from CVE publication to merged patch PR is around 90 minutes in environments with auto-remediation enabled. For environments where immediate patching is constrained by compliance policy, consider applying network-policy controls to restrict which clients can execute aggregation pipelines against MongoDB, and audit existing low-privilege accounts that have aggregation run permissions, as compensating measures until the patched image is deployed.
Fix available
- MongoDB / MongoDB Server< 8.3.3 (from 8.3.0) · < 8.2.10 (from 8.2.0) · < 8.0.24 (from 8.0.0) · < 7.0.35 (from 7.0.0)
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N