CVE-2026-8053

HIGH 8.8

FlatBSON Duplicate Field Index Drift

CVSS Score

8.8

EPSS Score

0.1%

EPSS Percentile

20th

An issue in MongoDB Server's time-series collection implementation allows an authenticated user with database write privileges to trigger an out-of-bounds memory write in the mongod process. The issue results from an inconsistency in the internal field-name-to-index mapping within the time-series bucket catalog. Under certain conditions this can result in arbitrary code execution. This issue impacts MongoDB Server v5.0 versions prior to 5.0.33, v6.0 versions prior to 6.0.28, v7.0 versions prior to 7.0.34, v8.0 versions prior to 8.0.23, v8.2 versions prior to 8.2.9 and v8.3 versions prior to 8.3.2.

CWE	CWE-787
Vendor	mongodb, inc.
Product	mongodb server
Published	May 12, 2026
Last Updated	May 13, 2026

Stay Ahead of the Next One

Get instant alerts for mongodb, inc. mongodb server

Be the first to know when new high vulnerabilities affecting mongodb, inc. mongodb server are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Affected Versions

MongoDB, Inc. / MongoDB Server

5.0 < 5.0.33 6.0 < 6.0.28 7.0 < 7.0.34 8.0 < 8.0.23 8.2 < 8.2.9 8.3 < 8.3.2

References

NVD ↗ CVE.org ↗ EPSS Data ↗

jira.mongodb.org: https://jira.mongodb.org/browse/SERVER-126021