Date: May 12-13, 2026
Primary Affected Versions:
-
Percona Server for MongoDB 7.0.x (pre-7.0.34) and Community
-
Percona Server for MongoDB 8.0.x (pre-8.0.23) and Community,
High Priority
-
CVE-2026-8053 (FlatBSON Index Drift)
-
CVSS: 8.7
-
Impact: Arbitrary Code Execution / Out-of-bounds memory write.
-
Scope: Time-series collections; affects versions as far back as v5.0.33 and v6.0.28.
-
Risk: Authenticated users with write privileges.
-
Details: SERVER-126021
-
-
CVE-2026-8336 (UAF in $_internalJsEmit)
-
CVSS: 7.7
-
Impact: Denial of Service (mongod crash) via server-side JS engine.
-
Details: SERVER-121610
-
-
CVE-2026-8199 (Memory Exhaustion)
-
CVSS: 7.1
-
Impact: OOM (Out of Memory) availability loss via bitwise match expressions.
-
Details: SERVER-122449
-
Medium Priority
-
CVE-2026-8201 (FLE Use-After-Free)
-
CVSS: 6.1
-
Impact: Affects
mongocryptdandcrypt_sharedduring query analysis on encrypted fields. -
Details: SERVER-122032
-
-
CVE-2026-8202 (CPU Utilization DoS)
-
CVSS: 5.3
-
Impact: 100% CPU pinning via $trim/$ltrim/$rtrim operators.
-
Details: SERVER-120668
-
-
CVE-2026-8200 (Schema Validation Leak)
-
CVSS: 4.8
-
Impact: PII/User data may not be properly redacted in local server logs when schema validation fails.
-
Details: SERVER-121895
-
Next steps: Releases are in preparation now. ETA end of next week (tentative / not committed yet). I’ll confirm as soon as possible.