CVE-2026-8201 MEDIUM

CVE-2026-8201: Use-After-Free in MongoDB FLE Query Analysis When Processing Positional Projections on Encrypted Fields

Vendor Mongodb, Inc.
Product MongoDB Server
Weakness CWE-416
Published May 13, 2026
Last update May 13, 2026

CVSS base score

6.1/10
Attack vector Network
Attack complexity High
Privileges required Low
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:L/VA:H/SC:L/SI:N/SA:N

What the vulnerability does

01Description

A use-after-free vulnerability exists in MongoDB's Field-Level Encryption (FLE) query analysis component, affecting client-side uses of mongocryptd and crypt_shared. Triggering this vulnerability requires control over the structure of a client's FLE-related query. This issue impacts MongoDB Server’s mongocryptd component v7.0 versions prior to 7.0.34, v8.0 versions prior to 8.0.23, v8.2 versions prior to 8.2.9 and v8.3 versions prior to 8.3.2.

Key dates

02Disclosure timeline

May 13, 2026 CVE published
May 13, 2026 Record updated