MEDIUM 6.5

CVE-2026-9746: MongoDB Authenticated Denial-of-Service via Change Stream Resharding

MongoDB servers can be forced to crash when a logged-in user executes a specific combination of change stream operations with resharding resume tokens and the exchange option. An attacker with valid database credentials can trigger this denial-of-service condition without elevated privileges, causing service disruption. The crash occurs due to an unhandled invariant violation in the server code.

Source data · NVD / CISA · public domain

CVSS
3.1 · 6.5 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Weaknesses (CWE)
CWE-617
Affected products
1 configuration(s)
Published / Modified
2026-06-09 / 2026-06-18

NVD description (verbatim)

When using $changestreams and $_requestReshardingResumeToken with the exchange option the server hits an invariant which causes the server to crash. There are no special privileges needed. The user must be logged in to issue the statement.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-9746 is a denial-of-service vulnerability in MongoDB triggered by the interaction of three specific features: $changestreams, $_requestReshardingResumeToken, and the exchange option. When these are combined in a single operation, the server encounters an invariant assertion failure that terminates the process. The vulnerability is reachable from any authenticated user context—no special roles or permissions are required beyond basic login access. The root cause is an invariant condition (CWE-617) that was not properly validated before the server attempted to execute the requested operation.

Business impact

This vulnerability enables authenticated denial-of-service attacks against MongoDB deployments. An attacker with valid database credentials—even a read-only user—can repeatedly crash the server, disrupting database availability and any applications dependent on those services. In multi-tenant or shared database environments, a malicious or compromised low-privilege account can impact all tenants. Recovery requires manual server restart. Sustained attacks could degrade operational resilience and trigger cascading failures in dependent systems.

Affected systems

MongoDB community and enterprise editions are affected. The specific vulnerable code path is invoked only when change streams are configured with resharding operations using the resume token and exchange parameters. Systems using standard change streams without resharding resume tokens and exchange options are not affected. Verify the exact affected versions against the MongoDB security advisory and your deployment topology.

Exploitability

Exploitability is straightforward: the vulnerability requires only valid database credentials and network access to the MongoDB instance. No special privileges, authentication bypass, or out-of-band techniques are needed. The attack surface is limited to users with existing database login capability, but in environments where database credentials are widely distributed (application service accounts, shared dev/test instances) or compromised, the attack can be executed trivially. No user interaction is required; the crash is deterministic.

Remediation

Apply the patched MongoDB version released by MongoDB Inc. as documented in their security advisory. After patching, verify the server starts cleanly and change stream operations function normally. For environments unable to patch immediately, consider restricting database access to trusted users only and monitoring for repeated connection attempts or unusual change stream configurations. However, patch deployment should be prioritized given the ease of exploitation.

Patch guidance

Consult the MongoDB security advisory to identify the patched version for your current MongoDB release branch. Apply patches during a maintenance window to minimize application downtime. Verify patch installation by checking the server version and testing change stream functionality in a non-production environment first. If using MongoDB Atlas or a managed service, verify that the service has been updated by the provider.

Detection guidance

Monitor MongoDB server logs for invariant assertion failures and unexpected server restarts. Look for repeated change stream operations originating from the same user or connection that correlate with server crashes. Alert on any occurrence of operations combining $changestreams, $_requestReshardingResumeToken, and exchange parameters. In production, ensure that database audit logging is enabled to track which users execute change stream operations. Set up automatic restart monitoring to detect repeated crashes that might indicate active exploitation.

Why prioritize this

Although the CVSS score is 6.5 (Medium), this should be treated as high-priority in most environments because denial-of-service attacks have immediate business impact. The low barrier to exploitation—requiring only authenticated access—means that credential compromise, insider threats, or misconfigured access controls can quickly lead to service disruption. Organizations with critical MongoDB deployments or strict uptime requirements should prioritize patching in their near-term schedule.

Risk score, explained

The CVSS 3.1 score of 6.5 reflects a network-accessible vulnerability requiring authentication (L), low attack complexity (L), causing high availability impact (A:H), with no confidentiality or integrity consequences. While not critical, the ease of exploitation by any authenticated user and the guaranteed denial-of-service outcome elevates real-world risk beyond the numerical score in operational contexts.

Frequently asked questions

Can an unauthenticated attacker exploit this?

No. The vulnerability requires valid MongoDB database credentials. The user must be logged in to the database. Unauthenticated users cannot reach the vulnerable code path.

Does this vulnerability expose data?

No. The vulnerability causes a server crash (denial-of-service) but does not leak, corrupt, or expose data. There is no confidentiality or integrity impact.

What does the exchange option do in change streams?

The exchange option is an internal parameter related to MongoDB's resharding functionality. It is typically used in advanced distributed database scenarios. Refer to MongoDB's technical documentation for detailed behavior; the key point is that combining it with resharding resume tokens can trigger the crash.

How can I tell if someone is trying to exploit this?

Look for database logs or audit entries showing users executing change stream operations, especially those that include resharding parameters and the exchange option. Unexpected server crashes without clear infrastructure issues should prompt investigation of recent database commands.

This analysis is based on publicly disclosed vulnerability data current as of the publication date. Specific patch versions, affected product versions, and remediation timelines must be verified against the official MongoDB security advisory. Exploit code and detailed attack demonstrations are not provided. Organizations should conduct their own risk assessment based on their MongoDB deployment architecture, version, and user access controls. This document is for informational purposes and does not constitute professional security advice. Source: NVD (public-domain), retrieved 2026-07-19. Analysis generated by SEC.co (claude-haiku-4-5).