CVEFinder.io

CVE-2026-8202

πŸ”Ά medium
πŸ” Scan for this CVE
Summary

Using a densely populated chars mask and a large input string in the MongoDB aggregation operators $trim, $ltrim, and $rtrim, an authenticated user with aggregation permissions can pin CPU utilization at 100% for an extended period of time. This issue impacts MongoDB Server v7.0 versions prior to 7.0.34, v8.0 versions prior to 8.0.23, v8.2 versions prior to 8.2.9 and v8.3 versions prior to 8.3.2.

CVSS Score
4.3
Medium
EPSS Score
0.0
Exploit Probability
Published Date
2026-05-13
First Seen: 2026-05-19
πŸ“Š Relative Risk Intelligence

This CVE is Lower Risk - more severe than 5.4% of all 321,566 vulnerabilities in our database.

#304,103
Below average severity
Severity Percentile
🎯 CISA SSVC Assessment Updated: May 13, 2026
πŸ” Exploitation Status
None
No known exploits
βš™οΈ Automatable
NO
Requires human interaction
πŸ’₯ Technical Impact
Partial
Limited system impact
SSVC data provided by CISA
Last Modified 2026-05-18
Source NVD πŸ”—
CVSS Vector 3.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
CVSS Vector 4.0 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CWE IDs (Weakness Types)
CWE-770

πŸ“¦ Affected Products 4

Vendor Product Status Affected Versions
mongodb mongodb Affected
> 7.0.0 < 7.0.34
mongodb mongodb Affected
> 8.0.0 < 8.0.23
mongodb mongodb Affected
> 8.2.0 < 8.2.9
mongodb mongodb Affected
> 8.3.0 < 8.3.2

πŸ”— References 1

https://jira.mongodb.org/browse/SERVER-120668
Issue Tracking Vendor Advisory

πŸ”— Related CVEs 6

CVE ID Severity CVSS EPSS Summary Published
CVE-2026-8336 ⚠️ high 7.5 0.1 After invoking $_internalJsEmit, which is not intended to be directly accessible, or mapreduce command’s map function ... 2026-05-13
CVE-2026-8053 ⚠️ high 8.8 0.1 An issue in MongoDB Server's time-series collection implementation allows an authenticated user with database write priv... 2026-05-13
CVE-2026-8200 ℹ️ low 2.7 0.0 When schema validation is enabled on a collection and an update or insert would violate the collection's schema, the loc... 2026-05-13
CVE-2026-8063 πŸ”Ά medium 6.5 0.0 An authenticated user can crash mongod when running $rankFusion or $scoreFusion with an empty pipeline on a view. When ... 2026-05-07
CVE-2026-5170 πŸ”Ά medium 5.3 0.0 A user with access to the cluster with a limited set of privilege actions can trigger a crash of aΒ mongod process durin... 2026-03-30
CVE-2026-4147 πŸ”Ά medium 6.5 0.0 An authenticated user with the read role may read limited amounts of uninitialized stack memory via specially-crafted is... 2026-03-17
These CVEs affect the same products