CVE-2026-11933

EUVD-2026-36373

12.06.2026, 02:16

A use-after-free vulnerability exists in MongoDB Server's server-side JavaScript engine when converting BSON documents to JavaScript arrays. An authenticated user with read privileges who is able to run server-side JavaScript (for example, via $where or $function) can cause the server to access memory that has already been freed. This may result in disclosure of information from the mongod process memory or a denial of service through a server crash.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
mongodb	CNA	8.8 HIGH	NETWORK	LOW	LOW	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Early Detection

Affected products identified ahead of NVD analysis through intelligence sources.

Vendor	Product	Version	Source
mongodb	mongodb	8.3.0 ≤ 𝑥 ≤ 8.3.3	CNA
mongodb	mongodb	8.2.0 ≤ 𝑥 ≤ 8.2.10	CNA
mongodb	mongodb	8.0.0 ≤ 𝑥 ≤ 8.0.25	CNA
mongodb	mongodb	7.0.0 ≤ 𝑥 ≤ 7.0.36	CNA
mongodb	mongodb	6.0 ≤ 𝑥 ≤ 6.0.28	CNA
mongodb	mongodb	5.0 ≤ 𝑥 ≤ 5.0.33	CNA
mongodb	mongodb	4.4.0 ≤ 𝑥 ≤ 4.4.30	CNA

Common Weakness Enumeration

CWE-787 - Out-of-bounds Write
The software writes data past the end, or before the beginning, of the intended buffer.

Vulnerability Media Exposure

[GERMAN] MongoDB: Schwachstelle ermöglicht Denial of Service und Offenlegung von Informationen
Ein entfernter, authentisierter Angreifer kann eine Schwachstelle in MongoDB ausnutzen, um einen Denial of Service Angriff durchzuführen oder vertrauliche Informationen offenzulegen.
Published: 2026-06-11T22:00:00+00:00

References

https://jira.mongodb.org/browse/SERVER-128125