Hi everyone,
We’re publishing two security advisories for MongoDB this week, both affecting Percona Server for MongoDB. They will be fixed in the same coordinated patch release, so the upgrade is a single window — but between disclosure and the patch, they require different responses. Here’s the short version.
CVE-2026-9740 — pre-authentication DoS
Severity: High • CVSS: 8.7 • Upstream: SERVER-125063
A stack overflow in the BSON validator’s BSONColumn interleaved-reference handling. An unauthenticated attacker can crash mongod by sending a single specially crafted message over the wire.
The important part: no credentials are required. Anyone with network reach to a mongod port can trigger the crash. No information disclosure has been demonstrated — this is strictly a DoS issue — but the lack of any authentication requirement makes it the more urgent one to triage for any deployment that isn’t on a tightly controlled private network.
There is no configuration off-switch. The BSON validator is core to every client message; it cannot be disabled. Network controls are the only pre-patch mitigation.
Affected: PSMDB 8.0 ≤ 8.0.23-10, PSMDB 7.0 ≤ 7.0.34-19. The vulnerable code path was introduced in 7.0; 6.0 and earlier are not affected by this CVE.
CVE-2026-11933 — post-authentication use-after-free
Severity: High • CVSS: 8.8 • Upstream: SERVER-128125
A use-after-free in the server-side JavaScript engine, in the BSON-to-array conversion path. An authenticated user with read privileges who can execute server-side JavaScript ($where, $function, $accumulator, mapReduce, system.js) can drive the engine to access freed memory. Outcomes: information disclosure from the mongod process memory, denial of service via crash. Remote code execution has not been demonstrated.
Good news: a real configuration mitigation exists. If your application does not use server-side JavaScript, disabling it removes the attack surface entirely:
security:
javascriptEnabled: false
Or --noscripting on the command line - for both mongod and mongos. After a restart, any operation that uses $where, $function, $accumulator, mapReduce, or system.js will return an error. If your application doesn’t use any of those, this is a full mitigation until you patch.
Not sure whether your application uses server-side JavaScript? Turn on the database profiler at level 2 on a representative replica for a representative window, then check the system.profile collection for those operator names. A few teams have found out this week that the answer was “no, we don’t use any of it” — meaning their entire pre-patch mitigation cost was a mongod and mongos restart.
Affected: all supported and EOL PSMDB majors from 4.4 through 8.0.
Patch timeline
Both CVEs will be fixed in the same release for each major version.
Patches already exist for MongoDB Community/Enterprise Server → just go with the latest one - as recently 10+ CVEs were fixed!
For Percona Server for MongoDB, patches will be available next week: 7.0 — June 23, 2026, 8.0 — June 25, 2026, 6.0 — June 24, 2026.
What to do immediately?
-
If you don’t use server-side JavaScript, disable it. Full mitigation for CVE-2026-11933 in a single mongod restart.
-
Audit your roles. Anything that grants read access and the ability to run server-side JavaScript is exposed to CVE-2026-11933 until you patch.
Happy to answer questions in this thread. For anything that needs to stay private (for example, confirming whether a specific deployment is exposed), please use a support ticket rather than the forum.
Thanks, and please patch when the releases land.