CVE-2026-1849 HIGH

CVE-2026-1849: Mongod can run out of stack memory when expressions create deeply nested documents

Vendor Mongodb Inc
Product MongoDB Server
Weakness CWE-674
Published February 10, 2026
Last update February 10, 2026

CVSS base score

7.1/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

MongoDB Server may experience an out-of-memory failure while evaluating expressions that produce deeply nested documents. The issue arises in recursive functions because the server does not periodically check the depth of the expression.

Key dates

02Disclosure timeline

February 10, 2026 CVE published
February 10, 2026 Record updated