Introduction
A use-after-free vulnerability in MongoDB Server's MozJS BSON binding layer allows any authenticated user with read privileges to trigger memory disclosure or a server crash through deprecated but still widely available server-side JavaScript operators. The flaw, tracked as CVE-2026-11933 with a CVSS v4.0 score of 8.7, stems from an ownership semantics mismatch in how BSON documents are converted to JavaScript arrays, and it affects every supported MongoDB release line from 4.4 through 8.3.
What makes this vulnerability particularly noteworthy is its position within a broader pattern: it is the latest in a cluster of use-after-free issues discovered in MongoDB's JavaScript engine integration layer, joining CVE-2026-8336 and the much older CVE-2019-2390 in the same code path. Combined with the recent MongoBleed (CVE-2025-14847) exploitation campaign, this CVE reinforces that MongoDB's memory management in its scripting subsystems remains an active area of security concern.
Technical Information
Root Cause: Ownership Semantics Mismatch in bsonObjToArray
The vulnerability originates in MongoDB's MozJS BSON binding layer, the code responsible for marshaling BSON data structures into SpiderMonkey (MozJS) JavaScript objects during server-side script execution. As documented in MongoDB JIRA ticket SERVER-128125, titled "Align bsonObjToArray ownership semantics with bsonGetImmutable," the root cause is an inconsistency between two related functions:
bsonGetImmutablecorrectly ensures that the underlyingBSONObjis owned (i.e., the memory backing the BSON document is guaranteed to remain valid) before creating JavaScript wrappers that reference it.bsonObjToArraydoes not apply the same ownership check when operating on sub-document wrappers.
This discrepancy means that when bsonObjToArray processes BSON documents containing arrays during server-side JavaScript execution, the resulting JavaScript array objects may hold pointers into memory that the BSON layer has already deallocated. Any subsequent read or write through these dangling references constitutes a use-after-free condition.
The CWE assignment of CWE-787 (Out-of-bounds Write) reflects the downstream consequence: accessing freed memory effectively constitutes an out-of-bounds memory operation, since the freed region may have been reallocated for a different purpose.
CVSS v4.0 Vector Analysis
The CVSS v4.0 vector assigned by MongoDB as CNA is:
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
| Metric | Value | Significance |
|---|---|---|
| Attack Vector (AV) | Network | Exploitable remotely over the network |
| Attack Complexity (AC) | Low | No special conditions required |
| Attacker Requirements (AT) | None | No prior access beyond authentication needed |
| Privileges Required (PR) | Low | Only authenticated read access needed |
| User Interaction (UI) | None | No user action required |
| Vulnerable System Confidentiality (VC) | High | Full process memory may be disclosed |
| Vulnerable System Integrity (VI) | High | Potential for memory corruption |
| Vulnerable System Availability (VA) | High | Server crash causes full denial of service |
The NVD has not yet performed its own independent CVSS assessment; the 8.7 score originates from MongoDB, Inc. as the CNA.
Attack Flow
The exploitation sequence proceeds as follows:
-
Authentication: An attacker authenticates to a MongoDB instance with at least read privileges on a target collection. This is the minimum privilege level; no administrative or cluster-level roles are required.
-
Query Construction: The attacker constructs a query or aggregation pipeline that uses the
$whereoperator or the$functionaggregation operator. The$whereoperator evaluates a JavaScript expression or function against each document to determine filter matches. The$functionoperator defines custom aggregation expressions executed on the database server. -
Triggering the Vulnerable Code Path: When the query engine processes documents containing BSON arrays, it invokes
bsonObjToArrayto convert those arrays into JavaScript array objects for use within the JavaScript execution context. Due to the missing ownership check, the JavaScript engine receives references to memory that the BSON layer may subsequently free. -
Memory Access: Subsequent access to these stale references causes the
mongodprocess to read from or write to freed memory. Depending on the state of the heap, this can result in:- Information disclosure: The freed memory region may have been reallocated and populated with other data from the
mongodprocess, including potentially sensitive information such as credentials, encryption keys, or other users' document data. - Denial of service: If the freed memory is in an inconsistent state, the access triggers a segmentation fault or assertion failure, crashing the
mongodprocess.
- Information disclosure: The freed memory region may have been reallocated and populated with other data from the
Deprecated Operators as the Attack Surface
The $where, $function, and $accumulator operators have been formally deprecated starting in MongoDB 8.0. However, deprecation does not mean removal: these operators remain functional in current releases and are still widely used in legacy applications. The deprecation does reduce the long-term attack surface for organizations that proactively migrate to native aggregation pipeline operators such as $match, $expr, and $lookup.
Interim Workaround: Disabling Server-Side JavaScript
For organizations unable to upgrade immediately, MongoDB provides a configuration option to disable server-side JavaScript execution entirely:
security: javascriptEnabled: false
This setting disables execution of all server-side JavaScript, including $where, $function, $accumulator, and mapReduce operations. This effectively neutralizes the attack vector but will break any application functionality that depends on these operators.
Defense in Depth Recommendations
- Restrict RBAC privileges: Review role-based access control to confirm that application accounts do not have unnecessary privileges to execute server-side JavaScript operators.
- Migrate away from deprecated operators: Refactor queries to use native aggregation pipeline operators instead of JavaScript-based expressions.
- Network segmentation: Limit network access to MongoDB instances to trusted application servers only.
- Audit logging: Enable MongoDB audit logging and monitor for unexpected use of
$whereor$functionoperators, particularly from low-privilege accounts. - Atlas deployments: MongoDB Atlas may disable server-side JavaScript by default for certain configurations. Organizations running Atlas should verify their cluster's
security.javascriptEnabledsetting and confirm their cluster version meets or exceeds the fixed versions.
Affected Systems and Versions
The JIRA ticket identifies the affected version as 8.0.27 and lists the following fixed versions across all supported release lines:
| Release Line | Fixed Version |
|---|---|
| 4.4 | 4.4.31 |
| 5.0 | 5.0.34 |
| 6.0 | 6.0.29 |
| 7.0 | 7.0.37 |
| 8.0 | 8.0.26 |
| 8.2 | 8.2.11 |
| 8.3 | 8.3.4 |
Any MongoDB Server version below these fixed versions within the respective release line is vulnerable, provided server-side JavaScript execution is enabled (which is the default configuration).
The fix is marked as Fully Compatible for backwards compatibility, meaning upgrades within the same release line should not introduce breaking changes.
Vendor Security History
CVE-2026-11933 is part of a recurring pattern of memory-safety issues in MongoDB's scripting and query layers. The following timeline illustrates the trend:
CVE-2019-2390 affected MongoDB Server v3.4 prior to 3.4.22, v3.6 prior to 3.6.14, and v4.0 prior to 4.0.11. It involved an authenticated user triggering a use-after-free that could result in a MongoDB Server crash. The recurrence of use-after-free conditions in the BSON-to-JavaScript conversion layer over multiple years suggests this code path has been a persistent area of memory-safety concern.
Between May 2026 and the CVE-2026-11933 publication, MongoDB disclosed multiple additional vulnerabilities:
| CVE ID | Subsystem | CVSS | Description |
|---|---|---|---|
| CVE-2026-4148 | Aggregation ($lookup/$graphLookup) | 8.7 | ExpressionContext UAF on sharded clusters |
| CVE-2026-8336 | Server-side JS ($_internalJsEmit/mapReduce) | 7.7 | Post-auth UAF in JS execution |
| CVE-2026-8201 | Field-Level Encryption | 6.1 | UAF in FLE query analysis |
| CVE-2026-25611 | JSON parsing | N/A | Denial of service via date value handling |
| CVE-2025-14847 | Zlib compression | Critical | MongoBleed: unauthenticated memory disclosure |
| CVE-2025-6713 | Aggregation ($mergeCursors) | Critical | Unauthorized data access bypassing RBAC |
The concentration of use-after-free vulnerabilities in the server-side JavaScript and aggregation subsystems suggests that the MozJS integration layer and the query execution engine represent areas of elevated memory-safety risk within the MongoDB codebase.
Independent security analysts characterize MongoDB as having a "solid track record of addressing vulnerabilities promptly" with a "mature security response process." For CVE-2026-11933 specifically, the 9-day resolution window from internal tracking to fix deployment across seven release branches is consistent with this assessment.
The broader question, however, is whether the fundamental architecture of embedding a JavaScript engine (SpiderMonkey/MozJS) within the database server creates an inherent and persistent memory-safety attack surface that individual patches cannot fully address. The deprecation of server-side JavaScript operators in MongoDB 8.0 may represent MongoDB's own acknowledgment of this architectural concern.
References
- NVD: CVE-2026-11933
- MongoDB JIRA: SERVER-128125
- MongoDB Server-side JavaScript Documentation
- MongoDB Alerts
- CWE-787: Out-of-bounds Write
- CISA Known Exploited Vulnerabilities Catalog
- MongoBleed (CVE-2025-14847) Exploited in the Wild: Wiz
- Threat Brief: MongoDB Vulnerability (CVE-2025-14847): Palo Alto Unit 42
- MongoDB CVE-2025-6713: Unauthorized Data Access: ZeroPath
- CVE-2026-8201: NVD
- CVE-2026-25611: MongoDB Server DOS Vulnerability: SentinelOne
- CVE-2019-2390: NVD
- MongoDB $where Operator JavaScript Injection: Invicti
- MongoBleed Vulnerability: CVE-2025-14847: Phoenix Security
- Important MongoDB Patch Available: May 2026
- CVEs, Same Playbook: 2026 Vulnerability Exploitation in the Wild: Proofpoint



