CVE-2026-11933

A use-after-free vulnerability exists in MongoDB Server's server-side JavaScript engine when converting BSON documents to JavaScript arrays. An authenticated user with read privileges who is able to run server-side JavaScript (for example, via $where or $function) can cause the server to access memory that has already been freed. This may result in disclosure of information from the mongod process memory or a denial of service through a server crash.
References
Link Resource
https://jira.mongodb.org/browse/SERVER-128125 Patch Vendor Advisory
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:mongodb:mongodb:*:*:*:*:-:*:*:*
cpe:2.3:a:mongodb:mongodb:*:*:*:*:-:*:*:*
cpe:2.3:a:mongodb:mongodb:*:*:*:*:-:*:*:*
cpe:2.3:a:mongodb:mongodb:*:*:*:*:-:*:*:*
cpe:2.3:a:mongodb:mongodb:*:*:*:*:-:*:*:*
cpe:2.3:a:mongodb:mongodb:*:*:*:*:-:*:*:*
cpe:2.3:a:mongodb:mongodb:*:*:*:*:-:*:*:*

History

22 Jun 2026, 14:38

Type Values Removed Values Added
CWE CWE-416
First Time Mongodb mongodb
Mongodb
References () https://jira.mongodb.org/browse/SERVER-128125 - () https://jira.mongodb.org/browse/SERVER-128125 - Patch, Vendor Advisory
CPE cpe:2.3:a:mongodb:mongodb:*:*:*:*:-:*:*:*

12 Jun 2026, 02:16

Type Values Removed Values Added
New CVE

Information

Published : 2026-06-12 02:16

Updated : 2026-06-22 14:38


NVD link : CVE-2026-11933

Mitre link : CVE-2026-11933

CVE.ORG link : CVE-2026-11933


JSON object : View

Products Affected

mongodb

  • mongodb
CWE
CWE-787

Out-of-bounds Write

CWE-416

Use After Free