PatchSiren cyber security CVE debrief
CVE-2026-9743 MongoDB CVE debrief
CVE-2026-9743 is a HIGH severity vulnerability in MongoDB Server 8.0. An aggregation stage can leave its _subPipeline field null during processing of certain pipelines. If a getMore is subsequently issued on the same cursor, the server may dereference this null sub-pipeline when reattaching to the operation context, accessing an invalid address and crashing the process. This issue allows an authenticated user who can run aggregation pipelines to cause a denial of service by issuing a specially crafted aggregation followed by getMore on affected versions.
- Vendor
- MongoDB
- Product
- MongoDB server
- CVSS
- HIGH 7.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-09
- Original CVE updated
- 2026-06-10
- Advisory published
- 2026-06-09
- Advisory updated
- 2026-06-10
Who should care
Users of MongoDB Server 8.0 who have authenticated users with the ability to run aggregation pipelines.
Technical summary
The vulnerability exists in the aggregation stage of MongoDB Server 8.0. A specially crafted aggregation pipeline can leave the _subPipeline field null. Subsequent getMore operations on the same cursor can cause the server to crash by dereferencing the null sub-pipeline.
Defensive priority
High
Recommended defensive actions
- Apply the official patch or update to a fixed version of MongoDB Server 8.0.
- Restrict access to aggregation pipeline execution to trusted users.
- Monitor MongoDB Server logs for suspicious activity.
Evidence notes
Vendor: MongoDB (inferred from reference_domain_candidate).
Official resources
-
CVE-2026-9743 CVE record
CVE.org
-
CVE-2026-9743 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
CVE-2026-9743 was published on 2026-06-09T23:17:03.853Z and modified on 2026-06-10T19:43:28.857Z.