CVE-2026-9746 HIGH

CVE-2026-9746: Server crashes in case of the use of exchange

Vendor Mongodb
Product MongoDB Server
Weakness CWE-617
Published June 9, 2026
Last update June 10, 2026

CVSS base score

7.1/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

When using $changestreams and $_requestReshardingResumeToken with the exchange option the server hits an invariant which causes the server to crash. There are no special privileges needed. The user must be logged in to issue the statement.

Key dates

02Disclosure timeline

June 9, 2026 CVE published
June 10, 2026 Record updated