CVE-2026-9746

EUVD-2026-35862
When using $changestreams and $_requestReshardingResumeToken with the exchange option the server hits an invariant which causes the server to crash. There are no special privileges needed. The user must be logged in to issue the statement.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
mongodbCNA
6.5 MEDIUM
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 12%
Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
VendorProductVersionSource
mongodbmongodb
8.3.0 ≤
𝑥
< 8.3.3
CNA
mongodbmongodb
8.2.0 ≤
𝑥
< 8.2.10
CNA
mongodbmongodb
8.0.0 ≤
𝑥
< 8.0.24
CNA
mongodbmongodb
7.0.0 ≤
𝑥
< 7.0.35
CNA
Common Weakness Enumeration
Vulnerability Media Exposure
References
https://jira.mongodb.org/browse/SERVER-124190