CVE-2026-4148

Summary

A use-after-free vulnerability can be triggered in sharded clusters by an authenticated user with the read role who issues a specially crafted $lookup or $graphLookup aggregation pipeline.

Affected Software

VendorProductVersion RangeStatus
MongoDB IncMongoDB Server8.2 < 8.2.6affected
MongoDB IncMongoDB Server8.0 < 8.0.20affected
MongoDB IncMongoDB Server7.0 < 7.0.31affected

Weaknesses

  • CWE-416: CWE-416 Use after free

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References