How is CVE-2026-9750 exploited?

Network reachability (required): The attacker must reach the MongoDB server over the network to send crafted documents. Authentication (required): Any valid low-privilege account is sufficient; no administrative credentials are needed. Victim interaction (not-required): No action from another user or administrator is needed to trigger the crash. Attack complexity (info): The exploit is reliable and requires no special environmental conditions, race conditions, or memory layout knowledge.

What is the impact of CVE-2026-9750?

Crashes the MongoDB server process, taking the database instance offline and denying service to all connected applications. May cause query execution paths to return incorrect results before a crash, potentially corrupting application-layer logic that trusts query output. Recovery requires a process restart, introducing unplanned downtime for any workload backed by the affected MongoDB instance.

Back to search

HIGHCVE-2026-9750Published 2026-06-09Modified 2026-06-10CNA mongodb

CVE-2026-9750: Metadata name collision on $-prefixed fields causes post-auth server crash

An authenticated user can cause a MongoDB server to crash or return incorrect results by creating documents that interfere with internal metadata processing during query execution. This stems from insufficient separation between user-controlled document fields and internal metadata in certain execution paths.

CVSS v4.0: 7.1
Severity: HIGH
Fixed in: 7.0.35
Affected Products: 1

HarborGuard Analysis

Synopsis

A server crash vulnerability affects MongoDB Server across the 7.0, 8.0, 8.2, and 8.3 release lines. An authenticated user reachable over the network can craft documents whose dollar-sign-prefixed field names collide with internal metadata used during query execution, causing the server to crash or return incorrect results. Successful exploitation disrupts availability of the MongoDB instance without requiring elevated privileges. Patched-image rebuilds at versions 7.0.35, 8.0.24, 8.2.10, and 8.3.3 are available on HarborGuard for environments running affected versions.

HarborGuard Coverage

Detection

Detection capability is available across every HarborGuard environment, with CVE ingestion from upstream feeds including the MongoDB CNA within minutes of publication. Matching runs against all customer registry images and CI pipeline stages, including custom-built images that bundle MongoDB Server.

Available

Triage

HarborGuard scores this CVE at 7.1 HIGH using the published CVSS v4.0 vector and can weight that score against each environment's compliance policy to determine urgency. Triage findings are routed to the appropriate team inbox within each customer organization based on configured ownership rules.

Available

Patch

A patched-image rebuild targeting the applicable fix version (7.0.35, 8.0.24, 8.2.10, or 8.3.3 depending on the installed branch) becomes available on HarborGuard once the upstream fix is confirmed. For customers who opt into auto-remediation, HarborGuard runs the rebuild, executes a regression test pass, and opens a PR against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The attacker must reach the MongoDB server over the network to send crafted documents.
AuthenticationRequired
Any valid low-privilege account is sufficient; no administrative credentials are needed.
Victim interactionNot required
No action from another user or administrator is needed to trigger the crash.
Attack complexityDetail
The exploit is reliable and requires no special environmental conditions, race conditions, or memory layout knowledge.

Blast Radius

Crashes the MongoDB server process, taking the database instance offline and denying service to all connected applications.
May cause query execution paths to return incorrect results before a crash, potentially corrupting application-layer logic that trusts query output.
Recovery requires a process restart, introducing unplanned downtime for any workload backed by the affected MongoDB instance.

How HarborGuard Handles This

Available on HarborGuard: detection fires within minutes of CVE publication for any image found to carry an affected MongoDB Server version (any 7.0.x before 7.0.35, 8.0.x before 8.0.24, 8.2.x before 8.2.10, or 8.3.x before 8.3.3). Where compliance policy permits auto-remediation, HarborGuard rebuilds the image at the correct fix version, runs a regression suite, and opens a patch PR against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes in environments with auto-remediation enabled. For environments where auto-remediation is not enabled, the triage finding is surfaced with CVSS severity and routing metadata so the responsible team can act manually. In the interim, consider applying MongoDB network-policy controls to restrict which identities can issue write operations, limiting the pool of accounts capable of crafting the malicious documents.

See how HarborGuard automates this

Fix available

7.0.358.0.248.2.108.3.3

Affected packages

MongoDB / MongoDB Server
< 8.3.3 (from 8.3.0) · < 8.2.10 (from 8.2.0) · < 8.0.24 (from 8.0.0) · < 7.0.35 (from 7.0.0)

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

References

jira.mongodb.org

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available