CVE-2026-8336
Post-authentication use-after-free error in $_internalJsEmit and mapreduce commands
CVSS Score
7.5
EPSS Score
0.1%
EPSS Percentile
16th
After invoking $_internalJsEmit, which is not intended to be directly accessible, or mapreduce command’s map function in a certain way, an authenticated user can subsequently crash mongod when the server-side JavaScript engine (through $where, $function, mapreduce reduce stage, etc.) is used also in a specific way, resulting in a post-authentication denial-of-service. This issue impacts MongoDB Server v7.0 versions prior to 7.0.34, v8.0 versions prior to 8.0.23, v8.2 versions prior to 8.2.9 and v8.3 versions prior to 8.3.2.
| CWE | CWE-416 |
| Vendor | mongodb, inc. |
| Product | mongodb server |
| Published | May 13, 2026 |
| Last Updated | May 13, 2026 |
Stay Ahead of the Next One
Get instant alerts for mongodb, inc. mongodb server
Be the first to know when new high vulnerabilities affecting mongodb, inc. mongodb server are published — delivered to Slack, Telegram or Discord.
Get Free Alerts →
Free · No credit card · 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Affected Versions
MongoDB, Inc. / MongoDB Server
7.0 < 7.0.34 8.0 < 8.0.23 8.2 < 8.2.9 8.3 < 8.3.2