Cyber Resilience

CVE-2026-11933

HighUpdated

Published: 12 June 2026

Published
12 June 2026
Modified
22 June 2026
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0038 30.3th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-11933 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Mongodb Mongodb. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Credential Access (T1212); ranked at the 30.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

A use-after-free vulnerability exists in MongoDB Server's server-side JavaScript engine when converting BSON documents to JavaScript arrays. An authenticated user with read privileges who is able to run server-side JavaScript (for example, via $where or $function) can cause the server…

more

to access memory that has already been freed. This may result in disclosure of information from the mongod process memory or a denial of service through a server crash.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1212 Exploitation for Credential Access Credential Access
Adversaries may exploit software vulnerabilities in an attempt to collect credentials.
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

UAF in MongoDB server-side JS enables authenticated memory disclosure (credential access via T1212) or process crash (DoS via T1499.004).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

Affected Assets

mongodb
mongodb
4.4.0 — 4.4.31 · 5.0.0 — 5.0.34 · 6.0.0 — 6.0.29

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-416 CWE-787

Use-after-free exploits that achieve arbitrary code execution are blocked or significantly hardened by non-executable pages and ASLR.

References