BIT-mongodb-2026-11933

See a problem?
Import Source
https://github.com/bitnami/vulndb/tree/main/data/mongodb/BIT-mongodb-2026-11933.json
JSON Data
https://api.osv.dev/v1/vulns/BIT-mongodb-2026-11933
Aliases
  • CVE-2026-11933
Published
2026-06-23T14:48:21.005Z
Modified
2026-06-23T15:15:07.802905283Z
Summary
Post-authentication use-after-free in server-side JavaScript BSON-to-array conversion
Details

A use-after-free vulnerability exists in MongoDB Server's server-side JavaScript engine when converting BSON documents to JavaScript arrays. An authenticated user with read privileges who is able to run server-side JavaScript (for example, via $where or $function) can cause the server to access memory that has already been freed. This may result in disclosure of information from the mongod process memory or a denial of service through a server crash.

Database specific
{
    "cpes": [
        "cpe:2.3:a:mongodb:mongodb:*:*:*:*:-:*:*:*"
    ],
    "severity": "High"
}
References

Affected packages

Bitnami / mongodb

Package

Name
mongodb
Purl
pkg:bitnami/mongodb

Severity

  • 8.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X CVSS Calculator

Affected ranges

Type
SEMVER
Events
Introduced
4.4.0
Fixed
4.4.31
Introduced
5.0.0
Fixed
5.0.34
Introduced
6.0.0
Fixed
6.0.29
Introduced
7.0.0
Fixed
7.0.37
Introduced
8.0.0
Fixed
8.0.26
Introduced
8.2.0
Fixed
8.2.11
Introduced
8.3.0
Fixed
8.3.4

Database specific

source
"https://github.com/bitnami/vulndb/tree/main/data/mongodb/BIT-mongodb-2026-11933.json"