216.73.217.22

CVE-2026-8063

· Published 07/05/2026 06:16 · Modified 07/05/2026 15:11

Labels: CVE-2026-8063 2026-05-07CVE-2026-8063CWE-476[email protected]

Essential information

Published
07/05/2026 06:16
Modified
07/05/2026 15:11
Author
Creator
CVSS
7.1 HIGH (v3) 7.1 HIGH (v4.0)
CISA KEV
No
CWE
CVSS vector

CVSS metrics

Description

An authenticated user can crash mongod when running $rankFusion or $scoreFusion with an empty pipeline on a view. When resolving a view, the server inspects the aggregation pipeline to determine whether it begins with an Atlas Search stage. For $rankFusion and $scoreFusion, this inspection reads the first element on each stage’s input pipeline array without first verifying that the array is non-empty. Supplying an empty pipeline causes a null pointer dereference and crashes the server. This issue affects MongoDB Server 8.2 versions prior to 8.2.7.

NVD status

Status
Awaiting Analysis — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
mongodb / mongodb server cpe:2.3:a:mongodb:mongodb_server:<8.2.7:*:*:*:*:*:*:*

References