CVE-2026-8063

EUVD-2026-28326

07.05.2026, 06:16

An authenticated user can crash mongod when running $rankFusion or $scoreFusion with an empty pipeline on a view.

When resolving a view, the server inspects the aggregation pipeline to determine whether it begins with an Atlas Search stage. For $rankFusion and $scoreFusion, this inspection reads the first element on each stage’s input pipeline array without first verifying that the array is non-empty. Supplying an empty pipeline causes a null pointer dereference and crashes the server.

This issue affects MongoDB Server 8.2 versions prior to 8.2.7.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
mongodb	CNA	6.5 MEDIUM	NETWORK	LOW	LOW	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 11%

Early Detection

Affected products identified ahead of NVD analysis through intelligence sources.

Vendor	Product	Version	Source
mongodb	mongodb	8.2.0 ≤ 𝑥 < 8.2.7	CNA

Common Weakness Enumeration

CWE-476 - NULL Pointer Dereference
A NULL pointer dereference occurs when the application dereferences a pointer that it expects to be valid, but is NULL, typically causing a crash or exit.

Vulnerability Media Exposure

[GERMAN] MongoDB: Schwachstelle ermöglicht Denial of Service
Ein entfernter, authentisierter Angreifer kann eine Schwachstelle in MongoDB ausnutzen, um einen Denial of Service Angriff durchzuführen.
Published: 2026-05-06T22:00:00+00:00

References

https://jira.mongodb.org/browse/SERVER-121851