Cyber Resilience

CVE-2026-4148

High

Published: 17 March 2026

Published
17 March 2026
Modified
10 April 2026
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0032 24.0th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-4148 is a high-severity Use After Free (CWE-416) vulnerability in Mongodb Mongodb. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 24.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-4148 is a use-after-free vulnerability (CWE-416) affecting MongoDB sharded clusters. It can be triggered when an authenticated user with the read role issues a specially crafted $lookup or $graphLookup aggregation pipeline. The vulnerability was published on 2026-03-17 and has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

An attacker requires network access and an authenticated account with only the read role to exploit this vulnerability remotely with low complexity and no user interaction. Successful exploitation can result in high impacts to confidentiality, integrity, and availability, potentially allowing arbitrary code execution or other severe consequences typical of use-after-free flaws.

Mitigation details are available in the referenced MongoDB advisory at https://jira.mongodb.org/browse/SERVER-119319.

EU & UK References

Vulnerability details

A use-after-free vulnerability can be triggered in sharded clusters by an authenticated user with the read role who issues a specially crafted $lookup or $graphLookup aggregation pipeline.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
Why these techniques?

Use-after-free in MongoDB aggregation pipeline allows authenticated read-role user to trigger remote arbitrary code execution on DB server (high C/I/A impact), directly enabling authenticated remote exploitation of a network-accessible service for privilege escalation.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-8053Same product: Mongodb Mongodb
CVE-2026-8336Same product: Mongodb Mongodb
CVE-2026-8201Same product: Mongodb Mongodb
CVE-2025-14847Same product: Mongodb Mongodb
CVE-2026-1848Same product: Mongodb Mongodb
CVE-2026-4358Same product: Mongodb Mongodb
CVE-2026-1850Same product: Mongodb Mongodb
CVE-2026-1849Same product: Mongodb Mongodb
CVE-2026-1847Same product: Mongodb Mongodb
CVE-2025-0755Same product: Mongodb Mongodb

Affected Assets

mongodb
mongodb
8.3.0 · 7.0.0 — 7.0.31 · 8.0.0 — 8.0.20 · 8.2.0 — 8.2.6

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the use-after-free vulnerability in MongoDB sharded clusters by installing vendor-provided patches.

prevent

Implements memory safeguards like ASLR and non-executable memory to block exploitation of the use-after-free flaw.

prevent

Validates $lookup and $graphLookup aggregation pipeline inputs to block specially crafted payloads triggering the vulnerability.

References