CVE-2026-8336

Severity CVSS v4.0:
HIGH
Type:
CWE-416 Use After Free
Publication date:
13/05/2026
Last modified:
18/05/2026

Description

After invoking $_internalJsEmit, which is not intended to be directly accessible, or mapreduce command’s map function in a certain way, an authenticated user can subsequently crash mongod when the server-side JavaScript engine (through $where, $function, mapreduce reduce stage, etc.) is used also in a specific way, resulting in a post-authentication denial-of-service.<br /> <br /> This issue impacts MongoDB Server v8.2 versions prior to 8.2.9 and v8.3 versions prior to 8.3.2.

Vulnerable products and versions

CPE From Up to
cpe:2.3:a:mongodb:mongodb:*:*:*:*:*:*:*:* 8.2.0 (including) 8.2.9 (excluding)
cpe:2.3:a:mongodb:mongodb:*:*:*:*:*:*:*:* 8.3.0 (including) 8.3.2 (excluding)


References to Advisories, Solutions, and Tools