How is CVE-2026-9749 exploited?

Network reachability (required): The vulnerable MongoDB Server must be reachable over the network; an attacker sends a crafted aggregation pipeline request across a network connection. Authentication (required): A low-privilege account is sufficient; any authenticated MongoDB user who can run aggregation pipelines can trigger the vulnerable code path. Victim interaction (not-required): No victim interaction is needed; the attacker submits the malicious pipeline request directly without requiring any action from another user. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, memory layout, or other environmental factors.

What is the impact of CVE-2026-9749?

Crashes the MongoDB server process, taking the database offline and making all hosted data inaccessible until the service is restarted. Any application or service that depends on the affected MongoDB instance loses database connectivity for the duration of the outage. No confidentiality or integrity impact is present; the attacker cannot read or modify stored data through this vulnerability.

Back to search

HIGHCVE-2026-9749Published 2026-06-09Modified 2026-06-10CNA mongodb

CVE-2026-9749: Using MaxKey() may crash the server

This issue can occur when running an aggregation pipeline that uses the internal $exchange stage configured with key-range partitioning and order-preserving delivery. If a single key range produces enough documents to fill its exchange buffer (that is, many results are routed to the same consumer), the server reaches the code path where a full per-consumer buffer is detected but the internal "high watermark" for that key range is not updated as intended.

CVSS v4.0: 7.1
Severity: HIGH
Fixed in: 7.0.35
Affected Products: 1

HarborGuard Analysis

Synopsis

A server crash vulnerability exists in MongoDB Server affecting the internal $exchange aggregation stage when used with key-range partitioning and order-preserving delivery. The flaw is reachable over the network by any low-privilege authenticated user, and successful exploitation crashes the MongoDB server process, causing a full denial of service. Patched-image rebuilds at versions 7.0.35, 8.0.24, 8.2.10, and 8.3.3 are available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-9749 is available across every HarborGuard environment, with the CVE matched against images in customer registries and CI/CD pipelines within minutes of publication. Coverage includes custom-built images that bundle MongoDB Server in any of the affected version ranges.

Available

Triage

Triage is available with CVSS v4.0 scoring of 7.1 (HIGH), and per-environment compliance policy weighting can adjust priority routing based on how each customer organization classifies availability impact. Findings are routed to the appropriate team inbox within each customer org based on configured escalation rules.

Available

Patch

A patched-image rebuild at each of the fix versions (7.0.35, 8.0.24, 8.2.10, 8.3.3) becomes available in HarborGuard once the upstream base image is published. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite, and opens a pull request against affected workloads.

Available

Exploit Conditions

Network reachabilityRequired
The vulnerable MongoDB Server must be reachable over the network; an attacker sends a crafted aggregation pipeline request across a network connection.
AuthenticationRequired
A low-privilege account is sufficient; any authenticated MongoDB user who can run aggregation pipelines can trigger the vulnerable code path.
Victim interactionNot required
No victim interaction is needed; the attacker submits the malicious pipeline request directly without requiring any action from another user.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, memory layout, or other environmental factors.

Blast Radius

Crashes the MongoDB server process, taking the database offline and making all hosted data inaccessible until the service is restarted.
Any application or service that depends on the affected MongoDB instance loses database connectivity for the duration of the outage.
No confidentiality or integrity impact is present; the attacker cannot read or modify stored data through this vulnerability.

How HarborGuard Handles This

Available on HarborGuard: detection fires within minutes of CVE publication, matching all images in customer registries and pipelines that bundle MongoDB Server in the ranges 7.0.0-7.0.34, 8.0.0-8.0.23, 8.2.0-8.2.9, or 8.3.0-8.3.2. Patched-image rebuilds at 7.0.35, 8.0.24, 8.2.10, and 8.3.3 are available as soon as the upstream base images are published. For customers who opt into auto-remediation, HarborGuard rebuilds the image, runs a regression test run, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled. Where compliance policy requires manual approval, the finding is routed to the designated team inbox with CVSS scoring and fix-version details attached. Because the only impact is availability, compensating controls such as network-policy rules that restrict aggregation-capable connections to trusted internal services can reduce exposure while a patched rebuild is being validated.

See how HarborGuard automates this

Fix available

7.0.358.0.248.2.108.3.3

Affected packages

MongoDB / MongoDB Server
< 8.3.3 (from 8.3.0) · < 8.2.10 (from 8.2.0) · < 8.0.24 (from 8.0.0) · < 7.0.35 (from 7.0.0)

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

References

jira.mongodb.org

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available