CVE-2026-8201
Use-After-Free in MongoDB FLE Query Analysis When Processing Positional Projections on Encrypted Fields
CVSS Score
6.4
EPSS Score
0.0%
EPSS Percentile
6th
A use-after-free vulnerability exists in MongoDB's Field-Level Encryption (FLE) query analysis component, affecting client-side uses of mongocryptd and crypt_shared. Triggering this vulnerability requires control over the structure of a client's FLE-related query. This issue impacts MongoDB Serverβs mongocryptd component v7.0 versions prior to 7.0.34, v8.0 versions prior to 8.0.23, v8.2 versions prior to 8.2.9 and v8.3 versions prior to 8.3.2.
| CWE | CWE-416 |
| Vendor | mongodb, inc. |
| Product | mongodb server |
| Published | May 13, 2026 |
| Last Updated | May 13, 2026 |
Stay Ahead of the Next One
Get instant alerts for mongodb, inc. mongodb server
Be the first to know when new medium vulnerabilities affecting mongodb, inc. mongodb server are published β delivered to Slack, Telegram or Discord.
Get Free Alerts β
Free Β· No credit card Β· 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
High
Affected Versions
MongoDB, Inc. / MongoDB Server
7.0 < 7.0.34 8.0 < 8.0.23 8.2 < 8.2.9 8.3 < 8.3.2