PatchSiren cyber security CVE debrief
CVE-2026-8202 Mongodb CVE debrief
CVE-2026-8202 is a denial-of-service issue in MongoDB Server where a densely populated chars mask combined with a large input string in the aggregation operators $trim, $ltrim, and $rtrim can pin CPU utilization at 100% for an extended period. The issue was published on 2026-05-13 and last modified by NVD on 2026-05-18. MongoDB versions affected are 7.0 before 7.0.34, 8.0 before 8.0.23, 8.2 before 8.2.9, and 8.3 before 8.3.2.
- Vendor
- Mongodb
- Product
- Unknown
- CVSS
- MEDIUM 5.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-13
- Original CVE updated
- 2026-05-18
- Advisory published
- 2026-05-13
- Advisory updated
- 2026-05-18
Who should care
MongoDB administrators, SREs, and application teams that expose aggregation functionality to authenticated users should care most, especially if workloads accept user-controlled strings or trimming masks. Security teams should also review any environment where low-privilege database accounts can run aggregation pipelines.
Technical summary
NVD and the MongoDB reference indicate that an authenticated user with aggregation permissions can trigger excessive CPU consumption by combining a densely populated chars mask with a large input string in $trim, $ltrim, or $rtrim. The result is an availability impact only, with CVSS 5.3 (medium) and CWE-770 listed as the weakness. The affected version ranges are MongoDB Server 7.0.0 through 7.0.33, 8.0.0 through 8.0.22, 8.2.0 through 8.2.8, and 8.3.0 through 8.3.1.
Defensive priority
Medium. The issue does not indicate data theft or code execution, but it can monopolize CPU on affected servers and degrade service for legitimate workloads. Prioritize upgrades on any exposed or multi-tenant MongoDB deployment where authenticated users can run aggregation pipelines.
Recommended defensive actions
- Upgrade MongoDB Server to a fixed release: 7.0.34, 8.0.23, 8.2.9, or 8.3.2, depending on your branch.
- Review who has aggregation permissions and remove unnecessary low-privilege access where practical.
- Monitor MongoDB host CPU and query patterns for unusually expensive trim operations involving large strings or dense chars masks.
- Validate application code that builds aggregation pipelines from user input, and constrain or sanitize inputs that feed $trim, $ltrim, or $rtrim.
- Track the MongoDB issue reference SERVER-120668 for vendor guidance and remediation context.
Evidence notes
The debrief is based on the CVE description, NVD analyzed metadata, and the MongoDB Jira reference in the source corpus. Timing context: CVE published 2026-05-13T04:17:42.037Z and modified 2026-05-18T12:55:24.487Z. NVD lists the vulnerability as analyzed and provides the affected version ranges and CWE-770 classification. The vendor reference points to SERVER-120668.
Official resources
-
CVE-2026-8202 CVE record
CVE.org
-
CVE-2026-8202 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Issue Tracking, Vendor Advisory
Publicly disclosed in the CVE record on 2026-05-13 and updated by NVD on 2026-05-18. No CISA KEV entry was provided in the source data.