HIGH 7.5

CVE-2026-9740: MongoDB BSON Validation Denial of Service (Unauthenticated)

MongoDB Server contains a flaw in how it validates BSON (Binary JSON) data structures that allows anyone on the network to crash the database server without needing to log in. An attacker can send a specially crafted message that exploits recursion logic in the validation code, causing the mongod process to fail. This is a denial-of-service issue—data is not stolen or modified, but legitimate database access becomes unavailable.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.5 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Weaknesses (CWE)
CWE-674
Affected products
1 configuration(s)
Published / Modified
2026-06-09 / 2026-06-17

NVD description (verbatim)

A vulnerability in MongoDB Server's BSON validation logic allows an unauthenticated user to crash the mongod process by sending a specially crafted message. The BSON validator's handling of certain nested binary data structures permits uncontrolled mutual recursion between validation functions, where each re-entry resets internal depth tracking.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-9740 stems from insufficient recursion depth tracking in MongoDB Server's BSON validation logic. The vulnerability exists in how the validator processes nested binary data structures. When processing certain payloads, validation functions can re-enter in an uncontrolled manner, with each recursion level resetting the internal depth counter rather than accumulating it. This allows an attacker to bypass recursion limits and trigger a stack overflow or resource exhaustion condition that terminates the mongod process. The issue is reachable over the network without authentication, making it exploitable by any network-adjacent actor.

Business impact

An attacker can render MongoDB instances unavailable on-demand, disrupting all dependent applications and services. Organizations relying on MongoDB for production workloads face potential service outages, data access disruption, and operational cascades if failover mechanisms are not properly configured. Recovery requires manual mongod restart, consuming incident response resources. In multi-tenant or cloud environments, a single unauthenticated network request can impact multiple customers or services sharing a MongoDB instance.

Affected systems

MongoDB Server instances are affected. The vulnerability is network-exploitable and requires no authentication, meaning any MongoDB deployment exposed to untrusted networks (or reachable from them) is at risk. This includes cloud-hosted MongoDB, on-premises deployments accessible from the internet, and internal instances if the attacker has network connectivity to the MongoDB port.

Exploitability

Exploitability is straightforward: the attack requires only network access to the MongoDB port and no valid credentials. An attacker can craft and send a malicious BSON message using standard MongoDB client libraries or raw network tools. The low complexity and absence of user interaction make this vulnerability highly exploitable. However, exploitation is not yet observed in the wild (KEV status is false), though the technical barrier to weaponization is minimal.

Remediation

Apply the security patch provided by MongoDB for CVE-2026-9740 as soon as practicable. Verify the patched version number in the MongoDB security advisory. Until patching is complete, mitigate by restricting network access to MongoDB ports using firewalls, network segmentation, or IP allowlisting. Disable MongoDB's network listener if the instance is not required to accept remote connections. Monitor mongod process availability and restart logs for unexpected terminations.

Patch guidance

Consult the MongoDB security advisory for the specific patched version addressing CVE-2026-9740. Test the patch in a non-production environment before deployment. Given the denial-of-service nature and high CVSS score (7.5), plan patching within your standard critical-priority timelines. Verify that the patch is applied to all MongoDB Server instances in your environment, including replicas and shards. Confirm mongod process stability after patching by monitoring for any restart anomalies over a 24–48 hour period.

Detection guidance

Monitor for unexpected mongod process crashes or restarts, especially those not preceded by maintenance windows or configuration changes. Review MongoDB logs for BSON validation errors or stack trace messages. Implement network-level detection by monitoring for malformed BSON messages or unusual binary payloads sent to MongoDB ports. Alert on repeated connection attempts followed by process termination. Establish a baseline of normal mongod uptime and flag deviations. If you suspect exploitation, correlate process termination timing with incoming network traffic to the MongoDB port.

Why prioritize this

Despite KEV status being false (not yet exploited in the wild), this vulnerability merits immediate attention due to high severity, trivial exploitability, and complete lack of authentication barriers. Any attacker with network access can trigger a denial-of-service condition. Organizations should prioritize patching according to criticality of MongoDB availability in their infrastructure, but high-availability deployments should still treat this as urgent to prevent cascading service disruptions.

Risk score, explained

The CVSS 3.1 score of 7.5 (HIGH) reflects a network-exploitable, unauthenticated attack that results in availability loss (denial of service) with no impact on confidentiality or integrity. The score does not account for ease of weaponization or lack of current real-world exploitation, but the vector (AV:N/AC:L/PR:N) underscores the low barrier to attack. Organizations should factor in their MongoDB's exposure to untrusted networks and the business criticality of database availability when determining actual risk within their environment.

Frequently asked questions

Can an attacker steal data using this vulnerability?

No. CVE-2026-9740 is a denial-of-service issue only. It does not permit data theft, modification, or unauthorized access. An attacker can crash the MongoDB process, but they cannot read or alter databases without separate authentication or other vulnerabilities.

Do I need authentication credentials to exploit this?

No. This is an unauthenticated vulnerability. Any attacker with network access to the MongoDB port can send a malicious BSON message and crash the mongod process without logging in.

Is this vulnerability actively being exploited?

As of the advisory date (June 2026), this vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, meaning active exploitation in the wild has not been publicly documented. However, the low technical barrier to exploitation means organizations should not rely on this status for prioritization.

What is the best interim mitigation if I cannot patch immediately?

Restrict network access to MongoDB ports using firewall rules or network segmentation. Allow connections only from known, trusted application servers or clients. Disable remote listening if the MongoDB instance does not require external connections. Implement automated monitoring and alerting for unexpected mongod process terminations so you can respond quickly if exploitation is attempted.

This analysis is based on the CVE-2026-9740 advisory published on 2026-06-09. Specific patch version numbers, detailed technical remediations, and vendor-specific guidance should be obtained directly from the official MongoDB security advisory. SEC.co provides this information for situational awareness; organizations must verify all technical details and patch availability before taking action. No exploit code or proof-of-concept is provided herein. Consult your MongoDB support team or the vendor advisory for environment-specific guidance. Source: NVD (public-domain), retrieved 2026-07-19. Analysis generated by SEC.co (claude-haiku-4-5).