CVE-2026-8053

HIGH

MongoDB, MongoDB Server - FlatBSON Duplicate Field Index Drift

Title source: rule

Exploitation Summary

EIP tracks 2 public exploits for CVE-2026-8053. PoCs published by fearlessresponsesolution, mgiay.

AI-analyzed exploit summary This repository contains a bash script that scans MongoDB servers for CVE-2026-8053, an out-of-bounds write vulnerability in the time-series bucket catalog. The script checks the MongoDB version against patched versions and does not include exploit code.

Description

An issue in MongoDB Server's time-series collection implementation allows an authenticated user with database write privileges to trigger an out-of-bounds memory write in the mongod process. The issue results from an inconsistency in the internal field-name-to-index mapping within the time-series bucket catalog. Under certain conditions this can result in arbitrary code execution. This issue impacts MongoDB Server v5.0 versions prior to 5.0.33, v6.0 versions prior to 6.0.28, v7.0 versions prior to 7.0.34, v8.0 versions prior to 8.0.23, v8.2 versions prior to 8.2.9 and v8.3 versions prior to 8.3.2.

Exploits (2)

github SCANNER

by fearlessresponsesolution · tsqlpoc

https://github.com/fearlessresponsesolution/cve-pocs/tree/master/pocs/CVE-2026-8053

View Code ZIP pw:eip

This repository contains a bash script that scans MongoDB servers for CVE-2026-8053, an out-of-bounds write vulnerability in the time-series bucket catalog. The script checks the MongoDB version against patched versions and does not include exploit code.

Classification

Scanner 95%

Attack Type

Info Leak

Complexity

Moderate

Reliability

Reliable

Target: MongoDB Server (versions 5.0-8.3)

Auth required

Prerequisites: authenticated access to MongoDB · knowledge of MongoDB version

MITRE ATT&CK

T1005 - Data from Local System T1552 - Unsecured Credentials

devstral-2 · analyzed May 19, 2026 Full analysis →

github FAILED

by mgiay · shellpoc

https://github.com/mgiay/CVE-2026-8053-MongoDB

View Code ZIP pw:eip

References (1)

Core 1

Core References

Issue Tracking issue-tracking

https://jira.mongodb.org/browse/SERVER-126021

Scores

CVSS v3 8.8

EPSS 0.0009

EPSS Percentile 26.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-787

Status published

Products (7)

mongodb/mongodb 5.0.0 - 5.0.33

MongoDB, Inc./MongoDB Server 5.0 - 5.0.33

MongoDB, Inc./MongoDB Server 6.0 - 6.0.28

MongoDB, Inc./MongoDB Server 7.0 - 7.0.34

MongoDB, Inc./MongoDB Server 8.0 - 8.0.23

MongoDB, Inc./MongoDB Server 8.2 - 8.2.9

MongoDB, Inc./MongoDB Server 8.3 - 8.3.2

Published May 13, 2026

Tracked Since May 13, 2026