CVE-2026-8336 Mongodb CVE debrief

Who should care

MongoDB operators and application owners who run MongoDB Server 8.2.x or 8.3.x, especially environments that allow authenticated users to execute workloads involving server-side JavaScript or mapreduce. SRE, database, and platform teams should care because the impact is service availability rather than data theft, but the crash can still interrupt production workloads.

Technical summary

NVD describes CVE-2026-8336 as a post-authentication DoS. The issue requires an authenticated user and a particular sequence involving $_internalJsEmit or a mapreduce map function, followed by use of server-side JavaScript execution paths such as $where, $function, or mapreduce reduce-stage behavior. The published weakness classification from the CNA is CWE-416, and the CVSS v4 vector reflects network reachability, low privileges, no user interaction, and high availability impact. NVD lists the vulnerable version ranges as MongoDB Server 8.2.0 through 8.2.8 and 8.3.0 through 8.3.1.

Defensive priority

High. The issue is remotely reachable after authentication, has a high CVSS severity, and directly affects service availability. Systems that expose MongoDB to multiple authenticated users or host mixed-trust workloads should prioritize patching quickly.

Recommended defensive actions

• Upgrade MongoDB Server to 8.2.9 or later, or 8.3.2 or later, depending on your release line.
• Inventory deployments to identify any MongoDB 8.2.x and 8.3.x instances that fall within the affected ranges.
• Review whether your applications or administrators rely on server-side JavaScript features such as $where, $function, or mapreduce paths and limit access where possible.
• Reduce the number of users or services that can run privileged database workloads, especially where authenticated users do not need broad query or scripting capabilities.
• Monitor for unexpected mongod crashes or restarts in environments that use server-side JavaScript or mapreduce functionality.
• After patching, validate that critical application queries and maintenance jobs still behave as expected on the fixed release.

Evidence notes

The CVE description states that after invoking $_internalJsEmit or a mapreduce map function in a certain way, an authenticated user can later crash mongod when server-side JavaScript is used in a specific way, causing post-authentication denial of service. NVD lists affected MongoDB Server versions as 8.2.0-8.2.8 and 8.3.0-8.3.1, and the CNA-provided weakness is CWE-416. The NVD record also includes a MongoDB Jira reference (SERVER-121610) tagged as Issue Tracking and Vendor Advisory. No evidence in the supplied corpus indicates KEV inclusion or active exploitation.

Official resources