CVE-2026-8336
HIGHPost-authentication use-after-free error in $_internalJsEmit and mapreduce commands
Title source: cnaDescription
After invoking $_internalJsEmit, which is not intended to be directly accessible, or mapreduce command’s map function in a certain way, an authenticated user can subsequently crash mongod when the server-side JavaScript engine (through $where, $function, mapreduce reduce stage, etc.) is used also in a specific way, resulting in a post-authentication denial-of-service. This issue impacts MongoDB Server v8.2 versions prior to 8.2.9 and v8.3 versions prior to 8.3.2.
References (1)
Core 1
Core References
Issue Tracking issue-tracking
https://jira.mongodb.org/browse/SERVER-121610
Scores
CVSS v3
7.5
EPSS
0.0026
EPSS Percentile
16.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-416
Status
published
Products (5)
mongodb/mongodb
8.2.0 - 8.2.9
MongoDB, Inc./MongoDB Server
7.0 - 7.0.34
MongoDB, Inc./MongoDB Server
8.0 - 8.0.23
MongoDB, Inc./MongoDB Server
8.2 - 8.2.9
MongoDB, Inc./MongoDB Server
8.3 - 8.3.2
Published
May 13, 2026
Tracked Since
May 13, 2026