MongoDB Server <=8.3.2 OOB EDR via TimeSeries Bucket Catalog
CVE-2026-8053 Published on May 12, 2026
FlatBSON Duplicate Field Index Drift
An issue in MongoDB Server's time-series collection implementation allows an authenticated user with database write privileges to trigger an out-of-bounds memory write in the mongod process. The issue results from an inconsistency in the internal field-name-to-index mapping within the time-series bucket catalog. Under certain conditions this can result in arbitrary code execution.
This issue impacts MongoDB Server v5.0 versions prior to 5.0.33, v6.0 versions prior to 6.0.28, v7.0 versions prior to 7.0.34, v8.0 versions prior to 8.0.23, v8.2 versions prior to 8.2.9 and v8.3 versions prior to 8.3.2.
Vulnerability Analysis
CVE-2026-8053 can be exploited with network access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to be very high.
Weakness Type
What is a Memory Corruption Vulnerability?
The software writes data past the end, or before the beginning, of the intended buffer. Typically, this can result in corruption of data, a crash, or code execution. The software may modify an index or perform pointer arithmetic that references a memory location that is outside of the boundaries of the buffer. A subsequent write operation then produces undefined or unexpected results.
CVE-2026-8053 has been classified to as a Memory Corruption vulnerability or weakness.
Products Associated with CVE-2026-8053
Want to know whenever a new CVE is published for MongoDB? stack.watch will email you.
Affected Versions
MongoDB, Inc. MongoDB Server:- Version 5.0 and below 5.0.33 is affected.
- Version 6.0 and below 6.0.28 is affected.
- Version 7.0 and below 7.0.34 is affected.
- Version 8.0 and below 8.0.23 is affected.
- Version 8.2 and below 8.2.9 is affected.
- Version 8.3 and below 8.3.2 is affected.