CVE-2026-1850
Published: 10 February 2026
Summary
CVE-2026-1850 is a high-severity Allocation of Resources Without Limits or Throttling (CWE-770) vulnerability in Mongodb Mongodb. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 23.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).
Deeper analysis
CVE-2026-1850 affects MongoDB, specifically the Query Planner component, where complex queries can trigger excessive memory usage leading to an out-of-memory crash. Published on 2026-02-10, this vulnerability is categorized under CWE-770 (Allocation of Resources Without Limits or Throttling) and carries a CVSS v3.1 base score of 6.5 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
An attacker with low privileges can exploit this vulnerability over the network with low complexity and no user interaction required. Exploitation involves sending crafted complex queries that overwhelm memory allocation in the Query Planner, resulting in a denial-of-service condition through an out-of-memory crash, with high impact on availability but no impact on confidentiality or integrity.
Mitigation details are available in the MongoDB advisory referenced at https://jira.mongodb.org/browse/SERVER-114126.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-6754
Vulnerability details
Complex queries can cause excessive memory usage in MongoDB Query Planner resulting in an Out-Of-Memory Crash.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct mapping to application exploitation causing endpoint DoS via crafted queries exhausting Query Planner memory.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly limits resource allocation in the MongoDB Query Planner to prevent the excessive memory consumption from complex queries that triggers the OOM crash.
Provides denial-of-service protections specifically against crafted queries that exhaust memory in the Query Planner component.
Validates incoming queries to reject or throttle overly complex inputs before they reach the vulnerable Query Planner logic.