Security Advisory - Published 2026-06-12 - MongoDB Server
MongoDB June 2026 CVE batch: exposure, restart, and encryption-feature checks
This MongoDB batch is mostly availability risk: crashes, memory pressure, and query paths that should stay inside a tight trust boundary. Two checks deserve extra attention: OIDC authentication and Queryable Encryption / CSFLE. Public MongoDB listeners and shared database networks should be patched first.
What is affected
| CVE | Condition | Main impact | Priority |
|---|---|---|---|
| CVE-2026-9740 | MongoDB Server BSON validation logic | Unauthenticated crash of mongod | High when the database port is reachable outside a tight trust boundary. |
| CVE-2026-9741 | Queryable Encryption or CSFLE query analysis | Literal values can appear in query analysis processing. | High when encrypted-field workflows handle sensitive values. |
| CVE-2026-9742 | OIDC authentication enabled | Pre-authentication crash in affected configurations | High when OIDC is configured and the database listener is reachable. |
| CVE-2026-9743 / 9746 / 9747 / 9748 / 9749 / 9750 / 9752 | Aggregation, change stream, or internal query stages | Authenticated crash or incorrect processing in specific query paths. | Patch servers where application users can run broad aggregation workloads. |
| CVE-2026-9753 | Oplog update processing | Memory out-of-bounds condition or crash. | Review replica set stability and unexplained restarts. |
| CVE-2026-9754 | filemd5 command with read-role access | Limited stack-memory disclosure. | Review read-only user access and patch affected branches. |
Fast exposure check
mongod --version
mongo --version 2>nul
mongosh --version
mongosh --eval "db.version(); db.serverBuildInfo().versionArray"
ss -ltnp | grep 27017
netstat -ano | findstr 27017
The clean target is a patched MongoDB branch plus no direct internet exposure. If
27017 is reachable from the internet, close that path even before the full
maintenance window is ready.
OIDC and encryption-feature checks
grep -Ri "oidc\\|queryableEncryption\\|csfle\\|security.authorization\\|setParameter" /etc/mongod.conf /etc/mongodb* 2>/dev/null
kubectl get configmap,secret -A | grep -i mongo
docker inspect $(docker ps -q) 2>/dev/null | grep -i "mongo\\|oidc\\|csfle" CVE-2026-9742 is only relevant when OIDC authentication is enabled. CVE-2026-9741 matters when Queryable Encryption or Client-Side Field Level Encryption is in use. If you use Atlas or managed MongoDB, check the provider advisory and maintenance status instead of guessing from package versions on an application host.
Logs to review
- Unexpected
mongodrestarts, crashes, fatal errors, or segmentation faults after June 9, 2026. - Authentication errors or OIDC-related errors immediately before a restart.
- Queryable Encryption / CSFLE query-analysis logs that include sensitive literal values.
- Database listener traffic from unknown IP addresses or monitoring gaps during a restart.
- Application-side reconnect storms, connection pool exhaustion, or repeated primary step-down alerts.
Safe fix path
- Apply the MongoDB vendor-fixed release for your supported branch.
- Block direct public access to MongoDB with firewall, security group, private network, or VPN controls.
- If OIDC, Queryable Encryption, or CSFLE is enabled, patch before running additional exposure tests.
- Restart one node at a time in replica sets and verify application reconnect behavior.
- Keep restart and database logs for the maintenance window, especially if uptime alerts already fired.
When to request repair help
Use Ping7 CVE Repair if MongoDB is public, OIDC is enabled, the branch cannot be patched quickly, Queryable Encryption / CSFLE is used for sensitive data, or production already had unexplained database restarts. Send the MongoDB version, deployment type, whether OIDC or encryption features are configured, and the restart timestamps.
References
- NVD: CVE-2026-9740
- MongoDB Jira: SERVER-125063
- MongoDB Jira: SERVER-123507
- NVD: CVE-2026-9742
- MongoDB Jira: SERVER-124183
- MongoDB Jira: SERVER-123688
- MongoDB Jira: SERVER-124190
- MongoDB Jira: SERVER-123918
- MongoDB Jira: SERVER-123951
- MongoDB Jira: SERVER-124031
- MongoDB Jira: SERVER-123633
- MongoDB Jira: SERVER-123440
- MongoDB Jira: SERVER-124959
- MongoDB Jira: SERVER-122207