PatchSiren cyber security CVE debrief
CVE-2026-9746 MongoDB CVE debrief
CVE-2026-9746 is a HIGH severity vulnerability in MongoDB that causes the server to crash when using $changestreams and $_requestReshardingResumeToken with the exchange option. The user must be logged in to issue the statement, but no special privileges are needed. The vulnerability has a CVSS score of 7.1.
- Vendor
- MongoDB
- Product
- MongoDB Server
- CVSS
- HIGH 7.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-09
- Original CVE updated
- 2026-06-10
- Advisory published
- 2026-06-09
- Advisory updated
- 2026-06-10
Who should care
Users of MongoDB who use $changestreams and $_requestReshardingResumeToken with the exchange option should be aware of this vulnerability and take steps to mitigate it.
Technical summary
The vulnerability occurs when the server hits an invariant, causing it to crash. The vulnerability is triggered by a specific sequence of operations involving $changestreams and $_requestReshardingResumeToken with the exchange option.
Defensive priority
HIGH
Recommended defensive actions
- Apply the patch or update to the latest version of MongoDB as soon as possible.
- Review and restrict the use of $changestreams and $_requestReshardingResumeToken with the exchange option.
- Monitor MongoDB server logs for signs of crashes or errors.
Evidence notes
The CVE record was obtained from the official CVE website and the NVD detail page.
Official resources
-
CVE-2026-9746 CVE record
CVE.org
-
CVE-2026-9746 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
CVE-2026-9746 was published on 2026-06-09T23:17:03.980Z and modified on 2026-06-10T19:43:28.857Z.