After invoking $_internalJsEmit, which is not intended to be directly accessible, or mapreduce command’s map function in a certain way, an authenticated user can subsequently crash mongod when the server-side JavaScript engine (through $where, $function, mapreduce reduce stage, etc.) is used also in a specific way, resulting in a post-authentication denial-of-service.
This issue impacts MongoDB Server v8.2 versions prior to 8.2.9 and v8.3 versions prior to 8.3.2.
References
| Link | Resource |
|---|---|
| https://jira.mongodb.org/browse/SERVER-121610 | Issue Tracking Vendor Advisory |
Configurations
Configuration 1 (hide)
|
History
18 May 2026, 12:54
| Type | Values Removed | Values Added |
|---|---|---|
| References | () https://jira.mongodb.org/browse/SERVER-121610 - Issue Tracking, Vendor Advisory | |
| First Time |
Mongodb mongodb
Mongodb |
|
| CPE | cpe:2.3:a:mongodb:mongodb:*:*:*:*:*:*:*:* |
15 May 2026, 17:16
| Type | Values Removed | Values Added |
|---|---|---|
| Summary | (en) After invoking $_internalJsEmit, which is not intended to be directly accessible, or mapreduce command’s map function in a certain way, an authenticated user can subsequently crash mongod when the server-side JavaScript engine (through $where, $function, mapreduce reduce stage, etc.) is used also in a specific way, resulting in a post-authentication denial-of-service. This issue impacts MongoDB Server v8.2 versions prior to 8.2.9 and v8.3 versions prior to 8.3.2. |
13 May 2026, 15:34
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2026-05-13 04:17
Updated : 2026-05-18 12:54
NVD link : CVE-2026-8336
Mitre link : CVE-2026-8336
CVE.ORG link : CVE-2026-8336
JSON object : View
Products Affected
mongodb
- mongodb
CWE
CWE-416
Use After Free