CVE-2026-9746

Summary

When using $changestreams and $_requestReshardingResumeToken with the exchange option the server hits an invariant which causes the server to crash. There are no special privileges needed. The user must be logged in to issue the statement.

Affected Software

VendorProductVersion RangeStatus
MongoDBMongoDB Server8.3.0 < 8.3.3affected
MongoDBMongoDB Server8.2.0 < 8.2.10affected
MongoDBMongoDB Server8.0.0 < 8.0.24affected
MongoDBMongoDB Server7.0.0 < 7.0.35affected

Weaknesses

  • CWE-617: CWE-617 Reachable assertion

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References