CVE-2026-9750: MongoDB Authenticated Denial of Service and Data Integrity Issue
CVE-2026-9750 is a medium-severity vulnerability in MongoDB that allows authenticated users to crash the database server or cause it to return incorrect query results. The flaw occurs because MongoDB doesn't properly separate user-supplied document fields from its internal metadata during query processing, allowing a malicious or compromised account to exploit this weakness without requiring network access beyond normal database authentication.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 6.5 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
- Weaknesses (CWE)
- CWE-617
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-06-09 / 2026-06-17
NVD description (verbatim)
An authenticated user can cause a MongoDB server to crash or return incorrect results by creating documents that interfere with internal metadata processing during query execution. This stems from insufficient separation between user-controlled document fields and internal metadata in certain execution paths.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
This vulnerability stems from insufficient input validation and namespace confusion (CWE-617) in MongoDB's query execution layer. When processing certain document structures, user-controlled fields can interfere with internal metadata that MongoDB relies on during query optimization and result generation. An authenticated attacker can craft specially formed documents that trigger either a denial of service (crash) or data integrity issues (incorrect results). The vector indicates network accessibility with low attack complexity, but requires valid authentication credentials.
Business impact
Organizations running MongoDB face two distinct risks: service disruption from intentional server crashes, and silent data corruption where queries return wrong results without obvious indication of failure. The latter poses particular risk in financial, healthcare, or analytics contexts where data accuracy is critical and users may not immediately detect anomalies. Recovery from crashes requires administrative intervention; data corruption may go unnoticed and propagate downstream.
Affected systems
MongoDB installations are affected. Verify your specific deployment version against the official MongoDB security advisory to confirm which releases are vulnerable. Both on-premises and cloud-managed MongoDB instances using affected versions require attention.
Exploitability
Exploitation requires valid database credentials—an insider threat, compromised application account, or credential theft scenario. It is not remotely exploitable via unauthenticated access. The attack has low complexity once authenticated, requiring only document creation using standard MongoDB operations. Organizations with strict credential hygiene and least-privilege access controls reduce but do not eliminate this risk.
Remediation
Apply the security patch released by MongoDB addressing this metadata validation issue. Implement or strengthen database access controls: enforce strong authentication, restrict database user accounts to minimum required privileges, and monitor for unusual document creation patterns or query anomalies. Credential rotation is advisable if compromise is suspected.
Patch guidance
Consult the official MongoDB security advisory for affected version numbers and corresponding patched releases. Apply patches during a maintenance window, testing in a staging environment first to ensure application compatibility. If patching is delayed, restrict database access to trusted application accounts only and implement compensating controls such as read-only modes where operationally feasible.
Detection guidance
Monitor MongoDB logs for unusual document structures or repeated query failures. Track authentication events and failed queries that return unexpected results or error messages. Alert on any unexpected server restarts or crashes correlated with specific user accounts. In analytics or reporting pipelines, implement data reconciliation checks to catch silent result corruption early.
Why prioritize this
While classified as medium severity, prioritize this based on your deployment's exposure: if untrusted users have database accounts, or if compromised application credentials are plausible, escalate priority. Data integrity issues may pose higher long-term risk than crashes depending on your compliance posture and downstream data usage.
Risk score, explained
CVSS 6.5 (Medium) reflects high impact on availability (crash scenarios) combined with requirement for valid authentication. The absence of confidentiality or integrity scoring in the vector may underweight silent data corruption risk; assess this vulnerability against your own data sensitivity and access control maturity.
Frequently asked questions
Does this vulnerability require network access to exploit?
No—it requires valid database credentials to authenticate. Once authenticated, exploitation is possible from within the network or via any connection method MongoDB accepts, including cloud-managed instances.
Will this cause immediate, obvious failures?
Crashes will be obvious, but incorrect query results may go undetected without additional monitoring. Implement data validation checks in applications relying on MongoDB queries.
Can I work around this without patching?
Partial mitigation: restrict database access to trusted application accounts only, implement query result validation, and monitor logs for anomalies. These do not eliminate the vulnerability but reduce exposure while patch testing occurs.
How do I know if we've been exploited?
Look for unexpected server crashes, authentication events from unusual accounts, or data discrepancies in query results. Enable MongoDB audit logging if not already active, and review it for suspicious document creation patterns.
This analysis is based on published CVE details as of the modification date. Verify all patch version numbers and affected releases against the official MongoDB security advisory before deployment. No exploit code or proof-of-concept is provided. This vulnerability requires valid authentication and is not actively tracked in CISA's KEV catalog as of publication. Consult with MongoDB support and your security team for environment-specific risk assessment. Source: NVD (public-domain), retrieved 2026-07-19. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-9746MEDIUMMongoDB Authenticated Denial-of-Service via Change Stream Resharding
- CVE-2026-9748MEDIUMMongoDB Denial of Service via Pipeline Signal Misuse
- CVE-2026-9749MEDIUMMongoDB Aggregation Pipeline Denial of Service via $exchange Buffer Tracking Flaw
- CVE-2026-46220MEDIUMLinux AMDGPU Kernel Panic DoS Vulnerability
- CVE-2026-46287MEDIUMLinux txgbe Driver RTNL Locking Defect
- CVE-2026-46542MEDIUMNimiq Ed25519 Denial-of-Service Vulnerability (Version 1.4.0 Patch)
- CVE-2026-46543MEDIUMNimiq Remote Node Crash Vulnerability
- CVE-2026-10300LOWSGLang Inference Endpoint Assertion Failure Vulnerability (CWE-617)