How is CVE-2026-9754 exploited?

Network reachability (required): The attacker must reach the MongoDB service over the network to issue the filemd5 command. Authentication (required): A valid account with at least the read role is needed; no admin or elevated privileges are required beyond that low-privilege grant. Victim interaction (not-required): No action from another user or victim is needed; the attacker sends the crafted command directly. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and requires no special race conditions, memory layout knowledge, or other environmental prerequisites.

What is the impact of CVE-2026-9754?

The attacker reads small amounts of raw, uninitialized stack memory from the MongoDB server process. That memory region may contain fragments of in-process data such as authentication tokens, encryption keys, connection strings, or query results from other users. Confidentiality of data held in memory is compromised; no writes, deletes, or service disruption are introduced by this vulnerability. The scope is limited to the affected MongoDB process; no cross-system (scope-changed) impact is indicated by the CVSS vector.

Back to search

HIGHCVE-2026-9754Published 2026-06-09Modified 2026-06-10CNA mongodb

CVE-2026-9754: Stack memory disclosure in filemd5 command

An authenticated user with the read role may read limited amounts of uninitialized stack memory via specially-crafted issuances of the filemd5 command

CVSS v4.0: 7.1
Severity: HIGH
Fixed in: 8.2.10
Affected Products: 1

HarborGuard Analysis

Synopsis

This is a stack memory disclosure vulnerability in MongoDB affecting versions 8.2.0 through 8.2.9 and 8.3.0 through 8.3.2. It is reachable over the network by any authenticated user holding the read role, with no elevated privileges required. Successful exploitation lets the attacker read small amounts of uninitialized stack memory, potentially exposing sensitive in-process data such as credentials, keys, or other secrets that happen to be resident in that memory region. Patched-image rebuilds at versions 8.2.10 and 8.3.3 are available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-9754 is available across every HarborGuard environment; the CVE is ingested from upstream feeds within minutes of publication and matched against customer images in connected registries and CI pipelines, including custom-built images that bundle MongoDB. Coverage applies to both affected version ranges (8.2.x and 8.3.x) without requiring any additional configuration.

Available

Triage

HarborGuard scores this CVE at CVSS 7.1 (HIGH) and surfaces it accordingly in each customer's triage queue, weighted against that environment's compliance policy (for example, stricter data-handling policies can promote this to a higher-priority routing). Findings are routed to the team inbox or ticketing integration configured for each customer org.

Available

Patch

A patched-image rebuild at MongoDB 8.2.10 or 8.3.3 becomes available in HarborGuard as soon as the upstream base image incorporating the fix is published. For customers with auto-remediation enabled, HarborGuard triggers a rebuild, runs a regression test suite against the new image, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The attacker must reach the MongoDB service over the network to issue the filemd5 command.
AuthenticationRequired
A valid account with at least the read role is needed; no admin or elevated privileges are required beyond that low-privilege grant.
Victim interactionNot required
No action from another user or victim is needed; the attacker sends the crafted command directly.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no special race conditions, memory layout knowledge, or other environmental prerequisites.

Blast Radius

The attacker reads small amounts of raw, uninitialized stack memory from the MongoDB server process.
That memory region may contain fragments of in-process data such as authentication tokens, encryption keys, connection strings, or query results from other users.
Confidentiality of data held in memory is compromised; no writes, deletes, or service disruption are introduced by this vulnerability.
The scope is limited to the affected MongoDB process; no cross-system (scope-changed) impact is indicated by the CVSS vector.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-9754 is active across customer environments that scan MongoDB images in the 8.2.x or 8.3.x version range. Because this is a HIGH-severity issue with a published fix, environments with auto-remediation enabled can expect a rebuilt image, regression run, and a PR opened against affected workloads within approximately 90 minutes of CVE publication (median time for high-severity issues). The PR targets the appropriate fix version based on the installed minor branch: 8.2.10 for 8.2.x deployments and 8.3.3 for 8.3.x deployments. Where compliance policy requires manual approval, the rebuilt image and supporting scan report are staged in the HarborGuard dashboard for one-click promotion. Customers who need to defer patching should consider applying network policy controls to restrict access to the MongoDB port to only trusted application service accounts, reducing the pool of users who can issue filemd5 commands while the upgrade is scheduled.

See how HarborGuard automates this

Fix available

8.2.108.3.3

Affected packages

MongoDB / MongoDB
< 8.3.3 (from 8.3.0) · < 8.2.10 (from 8.2.0)

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

References

jira.mongodb.org

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available