MEDIUM 6.5

CVE-2026-9743: MongoDB Server 8.0 Aggregation Pipeline Null Pointer DoS

MongoDB Server 8.0 has a vulnerability where certain aggregation queries can leave internal data structures in an inconsistent state. If an authenticated user follows up with a cursor operation (getMore), the server attempts to access a null pointer, causing the process to crash. Only users with authentication credentials can trigger this, but no special privileges are required—any authenticated database user can initiate the attack.

Source data · NVD / CISA · public domain

CVSS
3.1 · 6.5 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Weaknesses (CWE)
CWE-476
Affected products
1 configuration(s)
Published / Modified
2026-06-09 / 2026-06-17

NVD description (verbatim)

In MongoDB Server 8.0, an aggregation stage can leave its _subPipeline field null during processing of certain pipelines. If a getMore is subsequently issued on the same cursor, the server may dereference this null sub-pipeline when reattaching to the operation context, accessing an invalid address and crashing the process. This issue allows an authenticated user who can run aggregation pipelines to cause a denial of service by issuing a specially crafted aggregation followed by getMore on affected versions.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-9743 is a null pointer dereference in MongoDB Server 8.0's aggregation pipeline engine. During processing of specific pipeline configurations, the _subPipeline field within an aggregation stage may remain null instead of being properly initialized. When a subsequent getMore command reattaches the cursor to its operation context, the server dereferences this null pointer without validation, resulting in an access violation and process termination. The vulnerability is rooted in CWE-476 (null pointer dereference) and requires an authenticated session but no elevated privileges.

Business impact

This vulnerability enables authenticated denial of service attacks against MongoDB deployments. An attacker with valid database credentials can repeatedly crash the MongoDB process, disrupting service availability. For applications relying on MongoDB for real-time operations, continuous process crashes can cascade into application-level failures, data access timeouts, and user-facing outages. Organizations running MongoDB 8.0 without proper access controls or monitoring may experience significant operational disruption from low-effort exploitation.

Affected systems

MongoDB Server version 8.0 is affected. The vulnerability requires an authenticated connection, so it is not exploitable against MongoDB instances that enforce strong authentication or network segmentation. Deployments allowing broad database access or using weak credential hygiene face elevated risk.

Exploitability

Exploitability is straightforward for authenticated users. No complex exploitation techniques, race conditions, or environmental factors are required—the attacker simply needs valid credentials and the ability to execute aggregation queries followed by getMore operations. The low attack complexity (AC:L in the CVSS vector) and lack of user interaction requirements mean that automated exploitation is feasible. However, the requirement for prior authentication (PR:L) limits the attack surface compared to unauthenticated vulnerabilities.

Remediation

Upgrade MongoDB Server to a patched version released after 2026-06-17. Verify the specific patched release version against MongoDB's official security advisory. Until patching is complete, restrict database authentication credentials to only those users who require aggregation pipeline access, and monitor for abnormal process restarts or repeated connection failures that may indicate exploitation attempts.

Patch guidance

Consult the MongoDB Security Advisory corresponding to CVE-2026-9743 for the exact patched version number applicable to your deployment. Apply patches during a maintenance window and validate functionality in a staging environment first. If you are running MongoDB 8.0, prioritize updating to the next stable or patch release that addresses this vulnerability.

Detection guidance

Monitor MongoDB logs for repeated aggregation pipeline errors followed by connection resets or process exits. Audit which database users are executing aggregation queries and correlate with process restart events. Network-based detection is difficult since this requires internal MongoDB wire protocol analysis; focus on application-level monitoring for connection failures and elevated error rates. Set alerts on unexpected mongod process restarts paired with authentication log entries.

Why prioritize this

While the CVSS score of 6.5 reflects medium severity, this vulnerability merits prompt attention because availability impact is high (A:H), the attack is trivial to execute for any authenticated user, and MongoDB availability is often critical to application operations. The low barrier to exploitation and potential for repeated service disruption justify rapid remediation despite the authentication requirement.

Risk score, explained

CVSS 3.1 score of 6.5 (MEDIUM) reflects: network accessibility (AV:N), low attack complexity (AC:L), requirement for authentication (PR:L), no user interaction needed (UI:N), single impacted scope (S:U), no confidentiality or integrity loss (C:N, I:N), but high availability impact (A:H). The authentication requirement prevents a higher score, but the trivial exploitation path and high availability impact make this a material risk for MongoDB 8.0 deployments.

Frequently asked questions

Can unauthenticated users exploit this vulnerability?

No. CVE-2026-9743 requires a valid authenticated connection to MongoDB. An attacker must possess database credentials to execute the malicious aggregation pipeline and getMore sequence.

Does this vulnerability result in data theft or corruption?

No. The vulnerability causes only a denial of service (process crash). There is no confidentiality or integrity impact—data is neither leaked nor modified. Restarting the MongoDB process restores service.

Are earlier versions of MongoDB affected?

According to the source data, MongoDB Server 8.0 is affected. Verify whether your specific version is covered by cross-referencing with the official MongoDB security advisory. Older versions may or may not be vulnerable.

What is the recommended action if we cannot patch immediately?

Immediately restrict authentication credentials to minimize the number of users who can execute aggregation queries. Implement network segmentation to limit who can connect to MongoDB. Enable detailed process and error logging to detect exploitation attempts. Plan an expedited patching schedule.

This analysis is based on source data published as of 2026-06-17. Verify all patch version numbers and remediation steps against MongoDB's official security advisory and your specific deployment configuration. SEC.co does not provide legal, compliance, or risk management advice. Organizations should conduct their own risk assessment and consult with MongoDB support for deployment-specific guidance. Exploit code and weaponized proof-of-concept demonstrations are not provided in this analysis. Source: NVD (public-domain), retrieved 2026-07-19. Analysis generated by SEC.co (claude-haiku-4-5).