Security Advisory - Published 2026-06-12 - MongoDB Server

MongoDB June 2026 CVE batch: exposure, restart, and encryption-feature checks

This MongoDB batch is mostly availability risk: crashes, memory pressure, and query paths that should stay inside a tight trust boundary. Two checks deserve extra attention: OIDC authentication and Queryable Encryption / CSFLE. Public MongoDB listeners and shared database networks should be patched first.

Defensive scope: this guide covers inventory, exposure reduction, patching, restart-log review, and safe service validation. It does not include crafted BSON messages, authentication probes, aggregation test cases, or denial-of-service traffic.

What is affected

CVEConditionMain impactPriority
CVE-2026-9740MongoDB Server BSON validation logicUnauthenticated crash of mongodHigh when the database port is reachable outside a tight trust boundary.
CVE-2026-9741Queryable Encryption or CSFLE query analysisLiteral values can appear in query analysis processing.High when encrypted-field workflows handle sensitive values.
CVE-2026-9742OIDC authentication enabledPre-authentication crash in affected configurationsHigh when OIDC is configured and the database listener is reachable.
CVE-2026-9743 / 9746 / 9747 / 9748 / 9749 / 9750 / 9752Aggregation, change stream, or internal query stagesAuthenticated crash or incorrect processing in specific query paths.Patch servers where application users can run broad aggregation workloads.
CVE-2026-9753Oplog update processingMemory out-of-bounds condition or crash.Review replica set stability and unexplained restarts.
CVE-2026-9754filemd5 command with read-role accessLimited stack-memory disclosure.Review read-only user access and patch affected branches.

Fast exposure check

mongod --version
mongo --version 2>nul
mongosh --version
mongosh --eval "db.version(); db.serverBuildInfo().versionArray"
ss -ltnp | grep 27017
netstat -ano | findstr 27017

The clean target is a patched MongoDB branch plus no direct internet exposure. If 27017 is reachable from the internet, close that path even before the full maintenance window is ready.

OIDC and encryption-feature checks

grep -Ri "oidc\\|queryableEncryption\\|csfle\\|security.authorization\\|setParameter" /etc/mongod.conf /etc/mongodb* 2>/dev/null
kubectl get configmap,secret -A | grep -i mongo
docker inspect $(docker ps -q) 2>/dev/null | grep -i "mongo\\|oidc\\|csfle"

CVE-2026-9742 is only relevant when OIDC authentication is enabled. CVE-2026-9741 matters when Queryable Encryption or Client-Side Field Level Encryption is in use. If you use Atlas or managed MongoDB, check the provider advisory and maintenance status instead of guessing from package versions on an application host.

Logs to review

  • Unexpected mongod restarts, crashes, fatal errors, or segmentation faults after June 9, 2026.
  • Authentication errors or OIDC-related errors immediately before a restart.
  • Queryable Encryption / CSFLE query-analysis logs that include sensitive literal values.
  • Database listener traffic from unknown IP addresses or monitoring gaps during a restart.
  • Application-side reconnect storms, connection pool exhaustion, or repeated primary step-down alerts.

Safe fix path

  1. Apply the MongoDB vendor-fixed release for your supported branch.
  2. Block direct public access to MongoDB with firewall, security group, private network, or VPN controls.
  3. If OIDC, Queryable Encryption, or CSFLE is enabled, patch before running additional exposure tests.
  4. Restart one node at a time in replica sets and verify application reconnect behavior.
  5. Keep restart and database logs for the maintenance window, especially if uptime alerts already fired.

When to request repair help

Use Ping7 CVE Repair if MongoDB is public, OIDC is enabled, the branch cannot be patched quickly, Queryable Encryption / CSFLE is used for sensitive data, or production already had unexplained database restarts. Send the MongoDB version, deployment type, whether OIDC or encryption features are configured, and the restart timestamps.

References