CVE-2026-1849
Published: 10 February 2026
Summary
CVE-2026-1849 is a high-severity Uncontrolled Recursion (CWE-674) vulnerability in Mongodb Mongodb. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 23.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2026-1849 affects MongoDB Server, where the server may experience an out-of-memory failure while evaluating expressions that produce deeply nested documents. The issue stems from recursive functions that do not periodically check the depth of the expression, leading to uncontrolled recursion as classified under CWE-674. The vulnerability has a CVSS v3.1 base score of 6.5 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H), indicating medium severity primarily due to high availability impact.
An attacker requires low privileges (PR:L) and can exploit this remotely over the network (AV:N) with low attack complexity and no user interaction. Exploitation involves crafting expressions that trigger deeply nested document generation, causing the recursive functions to consume excessive memory and result in an out-of-memory failure, effectively denying service to the MongoDB Server.
Mitigation details are documented in the MongoDB JIRA ticket at https://jira.mongodb.org/browse/SERVER-102364.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-6757
Vulnerability details
MongoDB Server may experience an out-of-memory failure while evaluating expressions that produce deeply nested documents. The issue arises in recursive functions because the server does not periodically check the depth of the expression.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct exploitation of uncontrolled recursion vulnerability to trigger OOM and crash MongoDB service, matching Application or System Exploitation for DoS.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires protection against denial-of-service via resource exhaustion from uncontrolled recursion on deeply nested MongoDB expressions.
Mandates validation of input expression depth to block crafted payloads that trigger unbounded recursion and OOM.
Requires management of memory and other resources to limit the impact of recursive expression evaluation leading to exhaustion.