Post-authentication use-after-free error in $_internalJsEmit and mapreduce commands_CVE-2026-8336

7.7 / 10

HIGH

CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/AU:N/R:A/V:D/RE:M/U:Red

Description

After invoking $_internalJsEmit, which is not intended to be directly accessible, or mapreduce command’s map function in a certain way, an authenticated user can subsequently crash mongod when the server-side JavaScript engine (through $where, $function, mapreduce reduce stage, etc.) is used also in a specific way, resulting in a post-authentication denial-of-service.

This issue impacts MongoDB Server v7.0 versions prior to 7.0.34, v8.0 versions prior to 8.0.23, v8.2 versions prior to 8.2.9 and v8.3 versions prior to 8.3.2.

Basic Information

ID CVE-2026-8336

Source mongodb

Published May 13, 2026 at 00:16

Affected Product

Vendor MongoDB, Inc.

Product MongoDB Server

Version 7.0

Affected Versions MongoDB, Inc. MongoDB Server 7.0
MongoDB, Inc. MongoDB Server 8.0
MongoDB, Inc. MongoDB Server 8.2
MongoDB, Inc. MongoDB Server 8.3

CWE Classification

CWE-416

References

jira.mongodb.org /browse/SERVER-121610

{
    "lastseen": "",
    "description": "After invoking $_internalJsEmit, which is not intended to be directly accessible, or mapreduce command\u2019s map function in a certain way, an authenticated user can subsequently crash mongod when the server-side JavaScript engine (through $where, $function, mapreduce reduce stage, etc.) is used also in a specific way, resulting in a post-authentication denial-of-service.\n\nThis issue impacts MongoDB Server v7.0 versions prior to 7.0.34, v8.0 versions prior to 8.0.23, v8.2 versions prior to 8.2.9 and v8.3 versions prior to 8.3.2.",
    "published": "2026-05-13T00:16:16.568Z",
    "modified": "2026-05-13T00:16:16.568Z",
    "type": "cve",
    "title": "Post-authentication use-after-free error in $_internalJsEmit and mapreduce commands",
    "source": "mongodb",
    "references": "https://jira.mongodb.org/browse/SERVER-121610",
    "id": "CVE-2026-8336",
    "bulletinFamily": "",
    "cwe": [
        "CWE-416"
    ],
    "cvelist": null,
    "sourceData": "MongoDB, Inc. MongoDB Server 7.0\nMongoDB, Inc. MongoDB Server 8.0\nMongoDB, Inc. MongoDB Server 8.2\nMongoDB, Inc. MongoDB Server 8.3",
    "sourceHref": "",
    "cvss": {
        "score": 7.7,
        "severity": "HIGH",
        "vector": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/AU:N/R:A/V:D/RE:M/U:Red",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "MongoDB Server",
    "version": "7.0",
    "vendor": "MongoDB, Inc.",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}