How is CVE-2026-9753 exploited?

Network reachability (required): The attacker must reach the MongoDB service over the network to submit the malformed aggregation pipeline request. Authentication (required): Any low-privilege account with access to the aggregate command is sufficient; no admin or elevated role is needed. Victim interaction (not-required): No victim action is needed; the attacker submits the malformed request directly without any user interaction. Attack complexity (info): The exploit is reliable and condition-free, requiring no race conditions, special memory layout, or environmental dependencies.

What is the impact of CVE-2026-9753?

Reads memory contents outside the intended buffer, potentially exposing in-process data such as documents, connection state, or credentials held in the mongod process memory. Crashes the mongod server process, taking down all databases and connections served by that instance. A repeated crash loop denies service to all applications and users depending on the affected MongoDB node. Replica set members or standalone instances are equally affected, so a targeted crash can disrupt replication and availability.

Back to search

HIGHCVE-2026-9753Published 2026-06-09Modified 2026-06-10CNA mongodb

CVE-2026-9753: Server crash via malformed binary diff passed to $_internalApplyOplogUpdate.

The $_internalApplyOplogUpdate aggregation pipeline stage can be used to execute a document diff containing a malformed binary diff to return memory out-of-bounds or crash the server. $_internalApplyOplogUpdate can be executed by any authenticated user with access to the aggregate command.

CVSS v4.0: 7.2
Severity: HIGH
Fixed in: 7.0.35
Affected Products: 1

HarborGuard Analysis

Synopsis

An out-of-bounds memory read and server crash vulnerability exists in MongoDB Server's $_internalApplyOplogUpdate aggregation pipeline stage. The flaw is reachable over the network by any authenticated user with access to the aggregate command, requiring no elevated privileges. Successful exploitation reads memory contents outside intended bounds or crashes the mongod process entirely. Patched-image rebuilds at versions 7.0.35, 8.0.24, 8.2.10, and 8.3.3 are available on HarborGuard for environments running affected versions.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: CVE-2026-9753 is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built MongoDB images, across connected registries and CI/CD pipelines. Any image running a vulnerable MongoDB Server version in the affected ranges is flagged automatically.

Available

Triage

HarborGuard scores this CVE at 7.2 HIGH using the CVSS v4.0 vector and weights it against each environment's compliance policy to determine urgency and routing. Triage alerts are delivered to the appropriate team inbox within each customer organization based on configured ownership rules.

Available

Patch

Patched-image rebuilds targeting versions 7.0.35, 8.0.24, 8.2.10, and 8.3.3 become available on HarborGuard as soon as the fixed upstream images are published. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs regression tests, and opens a PR against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The attacker must reach the MongoDB service over the network to submit the malformed aggregation pipeline request.
AuthenticationRequired
Any low-privilege account with access to the aggregate command is sufficient; no admin or elevated role is needed.
Victim interactionNot required
No victim action is needed; the attacker submits the malformed request directly without any user interaction.
Attack complexityDetail
The exploit is reliable and condition-free, requiring no race conditions, special memory layout, or environmental dependencies.

Blast Radius

Reads memory contents outside the intended buffer, potentially exposing in-process data such as documents, connection state, or credentials held in the mongod process memory.
Crashes the mongod server process, taking down all databases and connections served by that instance.
A repeated crash loop denies service to all applications and users depending on the affected MongoDB node.
Replica set members or standalone instances are equally affected, so a targeted crash can disrupt replication and availability.

How HarborGuard Handles This

Available on HarborGuard: CVE-2026-9753 is matched against customer images continuously, covering all four affected MongoDB Server version ranges (7.0.0-7.0.34, 8.0.0-8.0.23, 8.2.0-8.2.9, 8.3.0-8.3.2). For customers who opt into auto-remediation, HarborGuard rebuilds the image at the appropriate fix version (7.0.35, 8.0.24, 8.2.10, or 8.3.3), runs regression tests against the rebuilt image, and opens a PR against affected workloads; for HIGH-severity issues, the median time from CVE publication to merged patch PR in auto-remediation-enabled environments is around 90 minutes. Where compliance policy does not permit auto-remediation, HarborGuard surfaces the finding in the triage queue with fix-version guidance so engineering teams can act manually. As a compensating control prior to patching, network policy rules that restrict aggregate command access to trusted internal clients reduce the exposure window for this vulnerability.

See how HarborGuard automates this

Fix available

7.0.358.0.248.2.108.3.3

Affected packages

MongoDB / MongoDB Server
< 8.3.3 (from 8.3.0) · < 8.2.10 (from 8.2.0) · < 8.0.24 (from 8.0.0) · < 7.0.35 (from 7.0.0)

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N

References

jira.mongodb.org

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available