CVEFinder.io

CVE-2026-8053

⚠️ high
πŸ” Scan for this CVE
Summary

An issue in MongoDB Server's time-series collection implementation allows an authenticated user with database write privileges to trigger an out-of-bounds memory write in the mongod process. The issue results from an inconsistency in the internal field-name-to-index mapping within the time-series bucket catalog. Under certain conditions this can result in arbitrary code execution. This issue impacts MongoDB Server v5.0 versions prior to 5.0.33, v6.0 versions prior to 6.0.28, v7.0 versions prior

Description

An issue in MongoDB Server's time-series collection implementation allows an authenticated user with database write privileges to trigger an out-of-bounds memory write in the mongod process. The issue results from an inconsistency in the internal field-name-to-index mapping within the time-series bucket catalog. Under certain conditions this can result in arbitrary code execution.

This issue impacts MongoDB Server v5.0 versions prior to 5.0.33, v6.0 versions prior to 6.0.28, v7.0 versions prior to 7.0.34, v8.0 versions prior to 8.0.23, v8.2 versions prior to 8.2.9 and v8.3 versions prior to 8.3.2.

CVSS Score
8.8
High
EPSS Score
0.1
Exploit Probability
Published Date
2026-05-13
First Seen: 2026-05-19
πŸ“Š Relative Risk Intelligence

This CVE is High Risk - more severe than 81.1% of all 321,566 vulnerabilities in our database.

#60,805
Top 25% most severe
Severity Percentile
🎯 CISA SSVC Assessment Updated: May 13, 2026
πŸ” Exploitation Status
None
No known exploits
βš™οΈ Automatable
NO
Requires human interaction
πŸ’₯ Technical Impact
Total
Complete system compromise possible
SSVC data provided by CISA
Last Modified 2026-05-18
Source NVD πŸ”—
CVSS Vector 3.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVSS Vector 4.0 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CWE IDs (Weakness Types)
CWE-787

πŸ“¦ Affected Products 6

Vendor Product Status Affected Versions
mongodb mongodb Affected
> 5.0.0 < 5.0.33
mongodb mongodb Affected
> 6.0.0 < 6.0.28
mongodb mongodb Affected
> 7.0.0 < 7.0.34
mongodb mongodb Affected
> 8.0.0 < 8.0.23
mongodb mongodb Affected
> 8.2.0 < 8.2.9
mongodb mongodb Affected
> 8.3.0 < 8.3.2

πŸ”— References 1

https://jira.mongodb.org/browse/SERVER-126021
Patch Vendor Advisory

πŸ”— Related CVEs 6

CVE ID Severity CVSS EPSS Summary Published
CVE-2026-8336 ⚠️ high 7.5 0.1 After invoking $_internalJsEmit, which is not intended to be directly accessible, or mapreduce command’s map function ... 2026-05-13
CVE-2026-8200 ℹ️ low 2.7 0.0 When schema validation is enabled on a collection and an update or insert would violate the collection's schema, the loc... 2026-05-13
CVE-2026-8202 πŸ”Ά medium 4.3 0.0 Using a densely populated chars mask and a large input string in the MongoDB aggregation operators $trim, $ltrim, and $r... 2026-05-13
CVE-2026-8063 πŸ”Ά medium 6.5 0.0 An authenticated user can crash mongod when running $rankFusion or $scoreFusion with an empty pipeline on a view. When ... 2026-05-07
CVE-2026-5170 πŸ”Ά medium 5.3 0.0 A user with access to the cluster with a limited set of privilege actions can trigger a crash of aΒ mongod process durin... 2026-03-30
CVE-2026-4147 πŸ”Ά medium 6.5 0.0 An authenticated user with the read role may read limited amounts of uninitialized stack memory via specially-crafted is... 2026-03-17
These CVEs affect the same products