CVE-2026-9748: MongoDB Denial of Service via Pipeline Signal Misuse
MongoDB's internal index statistics conversion stage inadvertently uses a signal mechanism that was designed for a completely different purpose. When this stage appears before the $facet aggregation operator in a pipeline, MongoDB's document processing layer receives an unexpected control signal and crashes. This is a denial-of-service flaw that requires authenticated database access to trigger.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 6.5 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
- Weaknesses (CWE)
- CWE-617
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-06-09 / 2026-06-17
NVD description (verbatim)
The $_internalConvertBucketIndexStats stage used PauseExecution as a way to signal "skip this document" when an index stats conversion failed. But PauseExecution is not a general purpose skip mechanism, but rather a TeeBuffer-internal signal used solely by $facet to coordinate its sub-pipelines. When this stage is placed before $facet in a pipeline, TeeBuffer receives the unexpected PauseExecution from upstream and hits a hard invariant assertion, crashing mongod.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The $_internalConvertBucketIndexStats aggregation stage incorrectly invokes PauseExecution to skip documents when index stats conversion fails. PauseExecution is a TeeBuffer-internal protocol signal used exclusively to coordinate sub-pipelines within the $facet operator. When $_internalConvertBucketIndexStats precedes $facet in an aggregation pipeline, the upstream PauseExecution signal violates TeeBuffer's invariant assumptions, causing an assertion failure and mongod process termination.
Business impact
Authenticated attackers can crash MongoDB database instances by crafting specific aggregation pipeline queries, resulting in service unavailability. Recovery requires manual restart of the affected mongod process. In applications with limited MongoDB replicas or single-instance deployments, this creates immediate operational disruption. Multi-replica deployments may experience failover delays and temporary query unavailability.
Affected systems
MongoDB is affected. Organizations running MongoDB instances accessible to authenticated users should assess exposure. The vulnerability requires valid database credentials and the ability to execute aggregation pipeline queries, limiting the attack surface to authenticated application users and database administrators.
Exploitability
Exploitation requires valid MongoDB authentication credentials and the ability to submit custom aggregation pipeline queries. No remote unauthenticated exploitation is possible. The attack complexity is low once authentication is achieved—a specific pipeline structure triggers the crash deterministically. Exploitation does not require unusual system configurations or user interaction.
Remediation
Apply the security patch released by MongoDB for CVE-2026-9748. Verify the specific patched version number against MongoDB's official security advisory. Until patched, restrict aggregation pipeline query submission to highly trusted application accounts and monitor for unexpected pipeline structures in query logs.
Patch guidance
Consult MongoDB's official security advisory for CVE-2026-9748 to identify the patched version applicable to your MongoDB deployment (Community, Enterprise, or Atlas). Test the patch in a staging environment before production rollout to ensure compatibility with active application workloads and aggregation pipelines. Verify patch application by confirming the installed MongoDB version matches the advisory's recommended release.
Detection guidance
Monitor MongoDB logs for aggregation pipeline queries containing both $_internalConvertBucketIndexStats and $facet operators in proximity. Alert on any unexpected hard assertions or process crashes involving TeeBuffer during pipeline execution. In production environments, establish a baseline of legitimate aggregation patterns and flag deviations that combine internal stages with $facet operators.
Why prioritize this
CVE-2026-9748 carries a CVSS score of 6.5 (MEDIUM) reflecting authenticated-only access requirements and limited impact scope (denial of service only, no data confidentiality or integrity breach). However, the deterministic crash mechanism and ease of exploitation via crafted queries warrant relatively prompt patching in environments where untrusted users or developers have aggregation pipeline access. Organizations with strict query governance or read-only application roles may deprioritize relative to higher-severity issues.
Risk score, explained
The CVSS 3.1 score of 6.5 reflects: network-based attack vector (AV:N), low attack complexity (AC:L), requirement for low-level authentication privilege (PR:L), no user interaction (UI:N), unchanged scope (S:U), no confidentiality impact (C:N), no integrity impact (I:N), and high availability impact (A:H). The score appropriately captures the service disruption potential balanced against the authentication barrier and absence of data exposure.
Frequently asked questions
Can an unauthenticated attacker exploit this vulnerability?
No. CVE-2026-9748 requires valid MongoDB authentication credentials. Remote attackers without database access cannot trigger the crash.
Does this vulnerability expose or modify data?
No. The vulnerability causes only a denial-of-service crash. No data confidentiality or integrity impact occurs. Restarting mongod restores access to unmodified data.
Which aggregation pipelines are dangerous?
Pipelines combining $_internalConvertBucketIndexStats before $facet trigger the vulnerability. Most applications do not construct such pipelines directly, but custom aggregation logic or internal tools may inadvertently create vulnerable structures.
Is MongoDB Atlas affected?
Verify MongoDB's advisory to confirm Atlas impact and available patch timeline. Atlas customers should follow MongoDB's guidance for automatic or manual cluster upgrades.
This analysis is based on public vulnerability data current as of the publication date. Specific patch version numbers, availability dates, and remediation steps must be verified against MongoDB's official security advisory at mongodb.com/security. SEC.co makes no warranty regarding the completeness or accuracy of vendor patch information. Organizations should conduct their own risk assessment considering their specific MongoDB configurations, user authentication policies, and aggregation pipeline usage patterns. This content is for informational purposes and does not constitute legal or compliance advice. Source: NVD (public-domain), retrieved 2026-07-19. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-9746MEDIUMMongoDB Authenticated Denial-of-Service via Change Stream Resharding
- CVE-2026-9749MEDIUMMongoDB Aggregation Pipeline Denial of Service via $exchange Buffer Tracking Flaw
- CVE-2026-9750MEDIUMMongoDB Authenticated Denial of Service and Data Integrity Issue
- CVE-2026-46220MEDIUMLinux AMDGPU Kernel Panic DoS Vulnerability
- CVE-2026-46287MEDIUMLinux txgbe Driver RTNL Locking Defect
- CVE-2026-46542MEDIUMNimiq Ed25519 Denial-of-Service Vulnerability (Version 1.4.0 Patch)
- CVE-2026-46543MEDIUMNimiq Remote Node Crash Vulnerability
- CVE-2026-10300LOWSGLang Inference Endpoint Assertion Failure Vulnerability (CWE-617)