PatchSiren cyber security CVE debrief
CVE-2026-8053 Mongodb CVE debrief
CVE-2026-8053 affects MongoDB Server’s time-series collection implementation and can be triggered by an authenticated user with database write privileges. The flaw is an out-of-bounds memory write in the mongod process caused by an inconsistency in the internal field-name-to-index mapping within the time-series bucket catalog. MongoDB and NVD both indicate that, under certain conditions, the issue can lead to arbitrary code execution.
- Vendor
- Mongodb
- Product
- Unknown
- CVSS
- HIGH 8.7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-13
- Original CVE updated
- 2026-05-18
- Advisory published
- 2026-05-13
- Advisory updated
- 2026-05-18
Who should care
MongoDB operators, database administrators, security teams, and application owners using MongoDB Server time-series collections—especially environments that grant authenticated users write access to databases.
Technical summary
The issue is classified as CWE-787 (out-of-bounds write). According to the supplied description, the vulnerable path is in MongoDB Server’s time-series collection implementation, where an internal field-name-to-index mapping inconsistency in the bucket catalog can drive a memory write beyond bounds in mongod. The attack requires authentication and database write privileges, but successful exploitation may result in arbitrary code execution. Affected versions are MongoDB Server v5.0 prior to 5.0.33, v6.0 prior to 6.0.28, v7.0 prior to 7.0.34, v8.0 prior to 8.0.23, v8.2 prior to 8.2.9, and v8.3 prior to 8.3.2.
Defensive priority
High. The vulnerability is remote, requires only authenticated write access, and can potentially lead to code execution in the database server process. It should be prioritized for systems that use time-series collections or that expose write-capable database accounts.
Recommended defensive actions
- Upgrade MongoDB Server to a fixed release: 5.0.33, 6.0.28, 7.0.34, 8.0.23, 8.2.9, or 8.3.2, depending on your major version.
- Inventory MongoDB deployments to identify versions earlier than the fixed releases and verify whether time-series collections are in use.
- Review database accounts with write privileges and remove or reduce unnecessary write access where possible.
- Treat authenticated write-capable users as a meaningful risk boundary for this issue and prioritize patching any environment with shared or broadly delegated write accounts.
- Track the vendor advisory/reference tied to SERVER-126021 for any remediation guidance or updates.
Evidence notes
The vulnerability description, version ranges, and impact come from the supplied CVE record and NVD metadata. The NVD record lists MongoDB Server as the affected product, CWE-787 as the weakness, and the fixed-version cutoffs. The supplied vendor reference points to Jira issue SERVER-126021 and is tagged as Patch/Vendor Advisory. No KEV entry was provided in the enrichment fields.
Official resources
-
CVE-2026-8053 CVE record
CVE.org
-
CVE-2026-8053 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Patch, Vendor Advisory
CVE published 2026-05-13T04:17:41.287Z and last modified 2026-05-18T13:06:01.570Z in the supplied record. This debrief uses the published CVE/NVD metadata and the linked vendor reference; no additional timing assumptions were made.