CVE-2026-4148

HIGH

ExpressionContext use-after-free in classic engine $lookup and $graphLookup aggregation operators

Title source: cna

Description

A use-after-free vulnerability can be triggered in sharded clusters by an authenticated user with the read role who issues a specially crafted $lookup or $graphLookup aggregation pipeline.

References (1)

https://jira.mongodb.org/browse/SERVER-119319

Scores

CVSS v3 8.8

EPSS 0.0006

EPSS Percentile 17.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-416

Status published

Products (5)

mongodb/mongodb 8.3.0 alpha0 (5 CPE variants)

mongodb/mongodb 7.0.0 - 7.0.31

MongoDB Inc/MongoDB Server 7.0 - 7.0.31

MongoDB Inc/MongoDB Server 8.0 - 8.0.20

MongoDB Inc/MongoDB Server 8.2 - 8.2.6

Published Mar 17, 2026

Tracked Since Mar 17, 2026