{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4148", "assignerOrgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb", "state": "PUBLISHED", "assignerShortName": "mongodb", "dateReserved": "2026-03-13T17:18:13.718Z", "datePublished": "2026-03-17T15:53:57.874Z", "dateUpdated": "2026-03-18T03:55:44.426Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb", "shortName": "mongodb", "dateUpdated": "2026-03-17T15:53:57.874Z"}, "title": "ExpressionContext use-after-free in classic engine $lookup and $graphLookup aggregation operators", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-416", "description": "CWE-416 Use after free", "type": "CWE"}]}], "affected": [{"vendor": "MongoDB Inc", "product": "MongoDB Server", "versions": [{"status": "affected", "version": "8.2", "lessThan": "8.2.6", "versionType": "custom"}, {"status": "affected", "version": "8.0", "lessThan": "8.0.20", "versionType": "custom"}, {"status": "affected", "version": "7.0", "lessThan": "7.0.31", "versionType": "custom"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "A use-after-free vulnerability can be triggered in sharded clusters by an authenticated user with the read role who issues a specially crafted $lookup or $graphLookup aggregation pipeline.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "A use-after-free vulnerability can be triggered in sharded clusters by an authenticated user with the read role who issues a specially crafted $lookup or $graphLookup aggregation pipeline.&nbsp;<br>"}]}], "references": [{"url": "https://jira.mongodb.org/browse/SERVER-119319"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "HIGH", "baseScore": 8.7, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"}}, {"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseSeverity": "HIGH", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}}], "source": {"discovery": "INTERNAL"}, "x_generator": {"engine": "Vulnogram 1.0.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-17T00:00:00+00:00", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3", "id": "CVE-2026-4148"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-18T03:55:44.426Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-4148", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-17T16:10:18.424746Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-17T16:10:20.716Z"}}], "cna": {"title": "ExpressionContext use-after-free in classic engine $lookup and $graphLookup aggregation operators", "source": {"discovery": "INTERNAL"}, "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.7, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}, {"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "MongoDB Inc", "product": "MongoDB Server", "versions": [{"status": "affected", "version": "8.2", "lessThan": "8.2.6", "versionType": "custom"}, {"status": "affected", "version": "8.0", "lessThan": "8.0.20", "versionType": "custom"}, {"status": "affected", "version": "7.0", "lessThan": "7.0.31", "versionType": "custom"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://jira.mongodb.org/browse/SERVER-119319"}], "x_generator": {"engine": "Vulnogram 1.0.0"}, "descriptions": [{"lang": "en", "value": "A use-after-free vulnerability can be triggered in sharded clusters by an authenticated user with the read role who issues a specially crafted $lookup or $graphLookup aggregation pipeline.", "supportingMedia": [{"type": "text/html", "value": "A use-after-free vulnerability can be triggered in sharded clusters by an authenticated user with the read role who issues a specially crafted $lookup or $graphLookup aggregation pipeline.&nbsp;<br>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-416", "description": "CWE-416 Use after free"}]}], "providerMetadata": {"orgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb", "shortName": "mongodb", "dateUpdated": "2026-03-17T15:53:57.874Z"}}}, "cveMetadata": {"cveId": "CVE-2026-4148", "state": "PUBLISHED", "dateUpdated": "2026-03-18T03:55:44.426Z", "dateReserved": "2026-03-13T17:18:13.718Z", "assignerOrgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb", "datePublished": "2026-03-17T15:53:57.874Z", "assignerShortName": "mongodb"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mongodb:mongodb:*:*:*:*:-:*:*:*", "matchCriteriaId": "20BB1767-F789-4A09-BB6F-00B535AEDC02", "versionEndExcluding": "7.0.31", "versionStartIncluding": "7.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:mongodb:mongodb:*:*:*:*:-:*:*:*", "matchCriteriaId": "343C4216-8507-44B6-B692-7A7B66455402", "versionEndExcluding": "8.0.20", "versionStartIncluding": "8.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:mongodb:mongodb:*:*:*:*:-:*:*:*", "matchCriteriaId": "5A773422-F80B-477C-BD39-1DE25E94BADD", "versionEndExcluding": "8.2.6", "versionStartIncluding": "8.2.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:mongodb:mongodb:8.3.0:alpha0:*:*:-:*:*:*", "matchCriteriaId": "CC3B9A35-1714-4DF1-ACB5-123A596461D6", "vulnerable": true}, {"criteria": "cpe:2.3:a:mongodb:mongodb:8.3.0:alpha1:*:*:-:*:*:*", "matchCriteriaId": "0CB39287-3FBC-4DAB-B6C3-A4BD59251BE8", "vulnerable": true}, {"criteria": "cpe:2.3:a:mongodb:mongodb:8.3.0:alpha2:*:*:-:*:*:*", "matchCriteriaId": "7ADCCBAC-CCBA-470E-9E47-049F69806766", "vulnerable": true}, {"criteria": "cpe:2.3:a:mongodb:mongodb:8.3.0:alpha3:*:*:-:*:*:*", "matchCriteriaId": "B5789644-2C9E-430F-A7C2-C36F103F8546", "vulnerable": true}, {"criteria": "cpe:2.3:a:mongodb:mongodb:8.3.0:rc1:*:*:-:*:*:*", "matchCriteriaId": "17C57EBD-CBE7-4F31-8B75-BC4EBF5FCCCA", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A use-after-free vulnerability can be triggered in sharded clusters by an authenticated user with the read role who issues a specially crafted $lookup or $graphLookup aggregation pipeline."}, {"lang": "es", "value": "Una vulnerabilidad de uso despu\u00e9s de liberaci\u00f3n puede ser activada en cl\u00fasteres fragmentados por un usuario autenticado con el rol de lectura que emite una canalizaci\u00f3n de agregaci\u00f3n especialmente dise\u00f1ada de $lookup o $graphLookup."}], "id": "CVE-2026-4148", "lastModified": "2026-04-10T17:38:37.107", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "cna@mongodb.com", "type": "Secondary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@mongodb.com", "type": "Secondary"}]}, "published": "2026-03-17T16:16:23.807", "references": [{"source": "cna@mongodb.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://jira.mongodb.org/browse/SERVER-119319"}], "sourceIdentifier": "cna@mongodb.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-416"}], "source": "cna@mongodb.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[8.2,8.2.6)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[8.0,8.0.20)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[7.0,7.0.31)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "MongoDB Server", "source": "cna", "vendor": "MongoDB Inc"}, "product": "mongodb_server", "vendor": "mongodb"}], "analysis": {"en": {"generated_at": "2026-04-10T18:29:59.086228+00:00", "value": {"mitigation_remediation": ["Verify the MongoDB Server version; if it is 8.3.0 alpha or rc, apply the latest patched release from MongoDB. If a patch is not yet available, restrict the use of $lookup and $graphLookup pipelines or remove them from customer applications. Ensure that only trusted users with minimal privileges have access to aggregation pipelines that contain these operators. Monitor cluster logs for abnormal aggregation activity and apply security hardening guidance from MongoDB\u2019s release notes."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution via Use\u2011After\u2011Free"}, "threat_synthesis": {"affected_systems": "MongoDB Server deployments, specifically versions 8.3.0 alpha 0\u20113 and release candidate 1 are known to be impacted; other unpatched releases may also be vulnerable. The flaw is present in sharded clusters where the aggregation framework processes $lookup or $graphLookup stages.", "description_and_impact": "A use\u2011after\u2011free flaw exists in the classic engine of MongoDB Server that can be exploited when an authenticated user possessing a read role issues a specially crafted $lookup or $graphLookup aggregation pipeline. The vulnerability can subvert normal memory handling, potentially leading to arbitrary code execution or service disruption for the affected cluster. The flaw originates from improper deallocation of ExpressionContext objects, a classic memory safety weakness.", "risk_and_exploitability": "The CVSS score of 8.7 classifies the vulnerability as high severity, while the EPSS score of less than 1% indicates a relatively low probability of exploitation in the wild. The flaw is not listed in CISA\u2019s KEV catalog, so no widespread, publicly known exploitation has been reported. Attackers must be authenticated with at least read permission, meaning the threat surface is limited to users with legitimate cluster access or compromised credentials. If exploited, the attacker could gain control over the server or cause a denial of service."}}}}, "created": "2026-03-18T12:13:15.228332+00:00", "updated": "2026-04-13T14:28:26.094358+00:00", "vendors": ["mongodb", "mongodb$PRODUCT$mongodb_server"]}