PatchSiren cyber security CVE debrief
CVE-2026-11933 MongoDB CVE debrief
CVE-2026-11933 is a use-after-free vulnerability in MongoDB Server's server-side JavaScript engine. An authenticated user with read privileges who can run server-side JavaScript can cause the server to access memory that has already been freed, potentially resulting in disclosure of information from the mongod process memory or a denial of service through a server crash.
- Vendor
- MongoDB
- Product
- Unknown
- CVSS
- HIGH 8.7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-12
- Original CVE updated
- 2026-06-12
- Advisory published
- 2026-06-12
- Advisory updated
- 2026-06-12
Who should care
Users of MongoDB Server who have server-side JavaScript enabled, particularly those with authenticated users who have read privileges.
Technical summary
The vulnerability exists in the server-side JavaScript engine when converting BSON documents to JavaScript arrays. An authenticated user with read privileges who can run server-side JavaScript (for example, via $where or $function) can exploit this vulnerability.
Defensive priority
High
Recommended defensive actions
- Apply the patch or update provided by MongoDB to fix the use-after-free vulnerability.
- Restrict access to server-side JavaScript execution to only necessary users and roles.
- Monitor MongoDB Server logs for suspicious activity.
Evidence notes
The CVE record and NVD detail pages provide information on the vulnerability, including its CVSS score and weaknesses.
Official resources
-
CVE-2026-11933 CVE record
CVE.org
-
CVE-2026-11933 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
CVE-2026-11933 was published on 2026-06-12T02:16:38.527Z and modified on 2026-06-12T16:06:17.027Z.