MongoDB QE $vectorSearch Stage Plaintext Leak
CVE-2026-9741 Published on June 9, 2026
Client side encryption fails to encrypt values in a $vectorSearch
A bug in query analysis processing of the $vectorSearch aggregation stage for Queryable Encryption (QE) or Client-Side Field Level Encryption (CSFLE) results in literal values for encrypted fields within the $vectorSearch stage filter expressions to be sent to the server as plaintext instead of ciphertext.
Vulnerability Analysis
CVE-2026-9741 can be exploited with network access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality, with no impact on integrity and availability.
Weakness Type
Cleartext Transmission of Sensitive Information
The software transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors. Many communication channels can be "sniffed" by attackers during data transmission. For example, network traffic can often be sniffed by any attacker who has access to a network interface. This significantly lowers the difficulty of exploitation by attackers.
Products Associated with CVE-2026-9741
Want to know whenever a new CVE is published for MongoDB? stack.watch will email you.
Affected Versions
MongoDB Server:- Version 8.3.0 and below 8.3.3 is affected.
- Version 8.2.0 and below 8.2.10 is affected.
- Version 8.0.0 and below 8.0.24 is affected.
- Version 7.0.0 and below 7.0.35 is affected.