MongoDB Server OOM via Bitwise Expr AST (7.0.33,8.0.22,8.2.8,8.3.1)
CVE-2026-8199 Published on May 13, 2026
Post-auth memory exhaustion via bitwise match expressions
An authenticated user can cause excess memory usage via bitwise match expression AST processing of $bitsAllSet, $bitsAnySet, $bitsAllClear, and $bitsAnyClear. This contributes to memory pressure and may lead to availability loss by OOM.
This issue impacts MongoDB Server v7.0 versions prior to 7.0.34, v8.0 versions prior to 8.0.23, v8.2 versions prior to 8.2.9 and v8.3 versions prior to 8.3.2.
Vulnerability Analysis
CVE-2026-8199 can be exploited with network access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality and integrity, and a high impact on availability.
Weakness Type
What is a Stack Exhaustion Vulnerability?
The product manages a group of objects or resources and performs a separate memory allocation for each object, but it does not properly limit the total amount of memory that is consumed by all of the combined objects.
CVE-2026-8199 has been classified to as a Stack Exhaustion vulnerability or weakness.
Products Associated with CVE-2026-8199
Want to know whenever a new CVE is published for MongoDB? stack.watch will email you.
Affected Versions
MongoDB, Inc. MongoDB Server:- Version 7.0 and below 7.0.34 is affected.
- Version 8.0 and below 8.0.23 is affected.
- Version 8.2 and below 8.2.9 is affected.
- Version 8.3 and below 8.3.2 is affected.