CVE-2026-8053HIGH 8.8EPSS p40.6%

CVE-2026-8053CVE-2026-8053

Description

An issue in MongoDB Server's time-series collection implementation allows an authenticated user with database write privileges to trigger an out-of-bounds memory write in the mongod process. The issue results from an inconsistency in the internal field-name-to-index mapping within the time-series bucket catalog. Under certain conditions this can result in arbitrary code execution. This issue impacts MongoDB Server v5.0 versions prior to 5.0.33, v6.0 versions prior to 6.0.28, v7.0 versions prior to 7.0.34, v8.0 versions prior to 8.0.23, v8.2 versions prior to 8.2.9 and v8.3 versions prior to 8.3.2.

Scoring

CVSS 3.18.8 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS0.53% probability of exploitation · percentile 40.6% · 2026-06-19T12:03:05Z
Published2026-05-13
Last modified2026-05-18

Underlying weaknesses· 1

CWE-787

References

  1. https://jira.mongodb.org/browse/SERVER-126021

1

TypeTargetConfidenceTier
WeaknessOut-of-bounds Writecwe-7870%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-9750
CVE
CVE-2026-8201
CVE
CVE-2026-9743
CVE
CVE-2026-9740
CVE
CVE-2025-6706
CVE
MongoDB and MongoDB Server Improper Handling of Length Parameter Inconsistency Vulnerability
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.