HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-9748Published Modified CNA mongodb

CVE-2026-9748: $_internalConvertBucketIndexStats may crash the mongod server when working on no timeseries input

The $_internalConvertBucketIndexStats stage used PauseExecution as a way to signal "skip this document" when an index stats conversion failed. But PauseExecution is not a general purpose skip mechanism, but rather a TeeBuffer-internal signal used solely by $facet to coordinate its sub-pipelines. When this stage is placed before $facet in a pipeline, TeeBuffer receives the unexpected PauseExecution from upstream and hits a hard invariant assertion, crashing mongod.

Metrics

CVSS v4.0
7.1
Severity
HIGH
Fixed in
7.0.35
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A denial-of-service vulnerability affects MongoDB Server in the aggregation pipeline stage $_internalConvertBucketIndexStats. An authenticated attacker with a low-privilege account can reach the affected code over the network by submitting a crafted aggregation pipeline that places $_internalConvertBucketIndexStats before a $facet stage on non-timeseries input, causing TeeBuffer to hit a hard invariant assertion and crash the mongod process. Successful exploitation brings down the database server, causing a full service outage for all connected clients. Patched-image rebuilds at versions 7.0.35, 8.0.10, 8.2.10, and 8.3.3 are available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds (including the MongoDB CNA advisory) within minutes of publication and matched against customer images in connected registries and CI pipelines, covering both official MongoDB images and custom-built images that bundle the affected mongod binary.

Available
Triage

Matched findings are scored at CVSS 7.1 HIGH (v4.0) and surfaced with that rating; per-environment compliance policy weighting is applied to prioritize or suppress the finding, and routing rules direct the alert to the appropriate team inbox within each customer organization.

Available
Patch

A patched-image rebuild at each fix version (7.0.35, 8.0.10, 8.2.10, or 8.3.3, depending on the branch in use) becomes available on HarborGuard once the upstream fix is confirmed. For customers who opt into auto-remediation, HarborGuard triggers a rebuild, runs the configured regression suite, and opens a PR against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the MongoDB query interface over the network to submit the malicious aggregation pipeline.

  • AuthenticationRequired

    A valid database account is needed, though any low-privilege account with permission to run aggregation queries is sufficient.

  • Victim interactionNot required

    No user or administrator action is required beyond the attacker issuing the crafted query.

  • Attack complexityDetail

    Exploitation is reliable and condition-free: the crash is deterministically triggered by placing $_internalConvertBucketIndexStats before $facet on non-timeseries input, with no race conditions or environmental dependencies.

Blast Radius

  • The mongod process terminates immediately on hitting the invariant assertion, taking the entire database server offline.
  • All client connections to the affected mongod instance are dropped, interrupting reads and writes for every application sharing that server.
  • In replica set or sharded deployments, the crashed primary triggers an election or failover, introducing latency and a window of reduced availability during re-election.
  • No confidential data is read and no stored data is modified; the impact is limited to availability.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-9748 is active across all connected environments and will flag any image containing a MongoDB Server binary in the affected version ranges (7.0.0-7.0.34, 8.0.0-8.0.9, 8.2.0-8.2.9, 8.3.0-8.3.2). Where compliance policy permits, auto-remediation customers receive a rebuilt image pinned to the appropriate fix branch (7.0.35, 8.0.10, 8.2.10, or 8.3.3), a regression-test run against that image, and a PR opened against affected workloads. The median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled. For environments where an immediate upgrade is not possible, compensating controls available through HarborGuard network policy tooling include restricting aggregation-capable database access to known application service accounts and applying network policies that limit which internal services can reach the mongod port directly.

See how HarborGuard automates this

Fix available

7.0.358.0.108.2.108.3.3
Affected packages
  • MongoDB / MongoDB Server
    < 8.3.3 (from 8.3.0) · < 8.2.10 (from 8.2.0) · < 8.0.10 (from 8.0.0) · < 7.0.35 (from 7.0.0)
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
References