CVE-2026-8336

EUVD-2026-29893
After invoking $_internalJsEmit, which is not intended to be directly accessible, or mapreduce command’s map function in a certain way, an authenticated user can subsequently crash mongod when the server-side JavaScript engine (through $where, $function, mapreduce reduce stage, etc.) is used also in a specific way, resulting in a post-authentication denial-of-service.

This issue impacts MongoDB Server v7.0 versions prior to 7.0.34, v8.0 versions prior to 8.0.23, v8.2 versions prior to 8.2.9 and v8.3 versions prior to 8.3.2.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
mongodbCNA
7.5 HIGH
NETWORK
HIGH
LOW
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 15%
Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
VendorProductVersionSource
mongodbmongodb
7.0 ≤
𝑥
< 7.0.34
CNA
mongodbmongodb
8.0 ≤
𝑥
< 8.0.23
CNA
mongodbmongodb
8.2 ≤
𝑥
< 8.2.9
CNA
mongodbmongodb
8.3 ≤
𝑥
< 8.3.2
CNA
Common Weakness Enumeration
Vulnerability Media Exposure
References
https://jira.mongodb.org/browse/SERVER-121610