IsItPatchedInstant security status for any software version
← All products

CVE-2026-8053

HIGH severity · CVSS 8.8 · Out-of-bounds write
8.8CVSS HIGH

Summary

An issue in MongoDB Server's time-series collection implementation allows an authenticated user with database write privileges to trigger an out-of-bounds memory write in the mongod process. The issue results from an inconsistency in the internal field-name-to-index mapping within the time-series bucket catalog. Under certain conditions this can result in arbitrary code execution. This issue impacts MongoDB Server v5.0 versions prior to 5.0.33, v6.0 versions prior to 6.0.28, v7.0 versions prior to 7.0.34, v8.0 versions prior to 8.0.23, v8.2 versions prior to 8.2.9 and v8.3 versions prior to 8.3.2.

Impact & exploitability

Attack vectorNetwork
Attack complexityLow
Privileges requiredLow
User interactionNone
Confidentiality impactHigh
Integrity impactHigh
Availability impactHigh
Exploit probability (EPSS)0%

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Affected products we track (1)

MongoDB

Recommendation

Apply the vendor fix promptly. Open any affected product above for its exact safe version.

Official patch: https://jira.mongodb.org/browse/SERVER-126021 ↗

Additional information

Last checked: Wed, 10 Jun 2026 22:18:30 UTC