CVE-2026-8053
HIGH · 8.8 EPSS 0.1%Published advisory only; no PoC, KEV, or exploitation signal; social amplification of vendor messaging.
What: Memory corruption in MongoDB Server time-series collections (v5.0–8.3) allows authenticated write-privileged users to trigger out-of-bounds memory writes, potentially enabling arbitrary code execution. CVSS 8.8 (HIGH).
Why it matters: Published 24 hours ago with patches available for all affected versions (5.0.33, 6.0.28, 7.0.34, 8.0.23, 8.2.9, 8.3.2). Requires authentication and write privileges, narrowing real-world attack surface. Not yet KEV-listed; no public PoC or in-the-wild exploitation reported. Social chatter is amplified vendor advisory recycling and FUD ("server takeover," "millions of records").
Where it's seen: Security news outlets, threat-intelligence aggregators, and infosec social accounts cross-posting vendor advisory language. No defender questions, no PoC discussion, no scanning signals.
RISK: HIGH — Unauthenticated RCE potential; wide version range; patches available same-day.
Description
An issue in MongoDB Server's time-series collection implementation allows an authenticated user with database write privileges to trigger an out-of-bounds memory write in the mongod process. The issue results from an inconsistency in the internal field-name-to-index mapping within the time-series bucket catalog. Under certain conditions this can result in arbitrary code execution. This issue impacts MongoDB Server v5.0 versions prior to 5.0.33, v6.0 versions prior to 6.0.28, v7.0 versions prior to 7.0.34, v8.0 versions prior to 8.0.23, v8.2 versions prior to 8.2.9 and v8.3 versions prior to 8.3.2.
CVSS 3.1 breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H- Attack vector
- Network
- Complexity
- Low
- Privileges required
- Low
- User interaction
- None
- Scope
- Unchanged
- Confidentiality
- High
- Integrity
- High
- Availability
- High