CVE-2026-8063 HIGH

CVE-2026-8063: Post-auth null pointer dereference when aggregating against a view with empty search pipeline

Vendor Mongodb Inc.
Product MongoDB Server
Weakness CWE-476
Published May 7, 2026
Last update May 7, 2026

CVSS base score

7.1/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

An authenticated user can crash mongod when running $rankFusion or $scoreFusion with an empty pipeline on a view. When resolving a view, the server inspects the aggregation pipeline to determine whether it begins with an Atlas Search stage. For $rankFusion and $scoreFusion, this inspection reads the first element on each stage’s input pipeline array without first verifying that the array is non-empty. Supplying an empty pipeline causes a null pointer dereference and crashes the server. This issue affects MongoDB Server 8.2 versions prior to 8.2.7.

Key dates

02Disclosure timeline

May 7, 2026 CVE published
May 7, 2026 Record updated