PatchSiren cyber security CVE debrief
CVE-2026-9753 MongoDB CVE debrief
The $_internalApplyOplogUpdate aggregation pipeline stage can be used to execute a document diff containing a malformed binary diff to return memory out-of-bounds or crash the server. $_internalApplyOplogUpdate can be executed by any authenticated user with access to the aggregate command.
- Vendor
- MongoDB
- Product
- MongoDB Server
- CVSS
- HIGH 7.2
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-09
- Original CVE updated
- 2026-06-10
- Advisory published
- 2026-06-09
- Advisory updated
- 2026-06-10
Who should care
Users of MongoDB should be aware of this HIGH severity vulnerability, which has a CVSS score of 7.2. An authenticated user with access to the aggregate command can exploit this vulnerability.
Technical summary
The $_internalApplyOplogUpdate aggregation pipeline stage is vulnerable to a memory out-of-bounds or crash issue when a malformed binary diff is executed. This can be done by any authenticated user with access to the aggregate command.
Defensive priority
HIGH
Recommended defensive actions
- Apply the necessary patches or updates to prevent exploitation of this vulnerability.
- Restrict access to the aggregate command to only authorized users.
Evidence notes
Vendor and product information is based on evidence from the source item.
Official resources
-
CVE-2026-9753 CVE record
CVE.org
-
CVE-2026-9753 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
CVE-2026-9753 was published on 2026-06-09T23:17:04.897Z and modified on 2026-06-10T19:43:28.857Z.