CVE-2026-8053

EUVD-2026-29888

13.05.2026, 04:17

An issue in MongoDB Server's time-series collection implementation allows an authenticated user with database write privileges to trigger an out-of-bounds memory write in the mongod process. The issue results from an inconsistency in the internal field-name-to-index mapping within the time-series bucket catalog. Under certain conditions this can result in arbitrary code execution.

This issue impacts MongoDB Server v5.0 versions prior to 5.0.33, v6.0 versions prior to 6.0.28, v7.0 versions prior to 7.0.34, v8.0 versions prior to 8.0.23, v8.2 versions prior to 8.2.9 and v8.3 versions prior to 8.3.2.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
mongodb	CNA	8.8 HIGH	NETWORK	LOW	LOW	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 19%

Early Detection

Affected products identified ahead of NVD analysis through intelligence sources.

Vendor	Product	Version	Source
mongodb	mongodb	5.0 ≤ 𝑥 < 5.0.33	CNA
mongodb	mongodb	6.0 ≤ 𝑥 < 6.0.28	CNA
mongodb	mongodb	7.0 ≤ 𝑥 < 7.0.34	CNA
mongodb	mongodb	8.0 ≤ 𝑥 < 8.0.23	CNA
mongodb	mongodb	8.2 ≤ 𝑥 < 8.2.9	CNA
mongodb	mongodb	8.3 ≤ 𝑥 < 8.3.2	CNA

Common Weakness Enumeration

CWE-787 - Out-of-bounds Write
The software writes data past the end, or before the beginning, of the intended buffer.

Vulnerability Media Exposure

[GERMAN] MongoDB: Mehrere Schwachstellen
Ein entfernter, authentisierter Angreifer kann mehrere Schwachstellen in MongoDB ausnutzen, um beliebigen Programmcode auszuführen, Daten zu manipulieren, vertrauliche Informationen offenzulegen oder einen Denial-of-Service-Zustand zu verursachen.
Published: 2026-05-12T22:00:00+00:00

References

https://jira.mongodb.org/browse/SERVER-126021