Cyber Resilience

CVE-2026-1850

HighDDoS

Published: 10 February 2026

Published
10 February 2026
Modified
25 February 2026
KEV Added
Patch
CVSS Score v4 7.1 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0008 23.2th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-1850 is a high-severity Allocation of Resources Without Limits or Throttling (CWE-770) vulnerability in Mongodb Mongodb. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 23.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).

Deeper analysis

CVE-2026-1850 affects MongoDB, specifically the Query Planner component, where complex queries can trigger excessive memory usage leading to an out-of-memory crash. Published on 2026-02-10, this vulnerability is categorized under CWE-770 (Allocation of Resources Without Limits or Throttling) and carries a CVSS v3.1 base score of 6.5 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

An attacker with low privileges can exploit this vulnerability over the network with low complexity and no user interaction required. Exploitation involves sending crafted complex queries that overwhelm memory allocation in the Query Planner, resulting in a denial-of-service condition through an out-of-memory crash, with high impact on availability but no impact on confidentiality or integrity.

Mitigation details are available in the MongoDB advisory referenced at https://jira.mongodb.org/browse/SERVER-114126.

EU & UK References

Vulnerability details

Complex queries can cause excessive memory usage in MongoDB Query Planner resulting in an Out-Of-Memory Crash.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Direct mapping to application exploitation causing endpoint DoS via crafted queries exhausting Query Planner memory.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-1847Same product: Mongodb Mongodb
CVE-2026-1848Same product: Mongodb Mongodb
CVE-2026-1849Same product: Mongodb Mongodb
CVE-2026-8336Same product: Mongodb Mongodb
CVE-2026-4358Same product: Mongodb Mongodb
CVE-2025-0755Same product: Mongodb Mongodb
CVE-2025-14847Same product: Mongodb Mongodb
CVE-2026-8053Same product: Mongodb Mongodb
CVE-2026-4148Same product: Mongodb Mongodb
CVE-2026-8201Same product: Mongodb Mongodb

Affected Assets

mongodb
mongodb
8.0.0 — 8.0.18 · 8.2.0 — 8.2.4

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly limits resource allocation in the MongoDB Query Planner to prevent the excessive memory consumption from complex queries that triggers the OOM crash.

prevent

Provides denial-of-service protections specifically against crafted queries that exhaust memory in the Query Planner component.

prevent

Validates incoming queries to reject or throttle overly complex inputs before they reach the vulnerable Query Planner logic.

References