CVE-2026-11933

Summary

A use-after-free vulnerability exists in MongoDB Server's server-side JavaScript engine when converting BSON documents to JavaScript arrays. An authenticated user with read privileges who is able to run server-side JavaScript (for example, via $where or $function) can cause the server to access memory that has already been freed. This may result in disclosure of information from the mongod process memory or a denial of service through a server crash.

Affected Software

VendorProductVersion RangeStatus
MongoDBMongoDB8.3.0 <= 8.3.3affected
MongoDBMongoDB8.2.0 <= 8.2.10affected
MongoDBMongoDB8.0.0 <= 8.0.25affected
MongoDBMongoDB7.0.0 <= 7.0.36affected
MongoDBMongoDB6.0 <= 6.0.28affected
MongoDBMongoDB5.0 <= 5.0.33affected
MongoDBMongoDB4.4.0 <= 4.4.30affected

Weaknesses

  • CWE-787: CWE-787: Out-of-bounds Write

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References