CVE-2026-4148

High

Published: 17 March 2026

Published

17 March 2026

Modified

10 April 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0006 17.9th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-4148 is a high-severity Use After Free (CWE-416) vulnerability in Mongodb Mongodb. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 17.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Privilege Escalation (T1068) and 2 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly remediates the use-after-free vulnerability in MongoDB sharded clusters by installing vendor-provided patches.

SI-16 Memory Protection partial match

prevent

Implements memory safeguards like ASLR and non-executable memory to block exploitation of the use-after-free flaw.

SI-10 Information Input Validation partial match

prevent

Validates $lookup and $graphLookup aggregation pipeline inputs to block specially crafted payloads triggering the vulnerability.

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1210 Exploitation of Remote Services Lateral Movement

Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.

attack.mitre.org →

Why these techniques?

Use-after-free in MongoDB aggregation pipeline allows authenticated read-role user to trigger remote arbitrary code execution on DB server (high C/I/A impact), directly enabling authenticated remote exploitation of a network-accessible service for privilege escalation.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

A use-after-free vulnerability can be triggered in sharded clusters by an authenticated user with the read role who issues a specially crafted $lookup or $graphLookup aggregation pipeline.

Deeper analysisAI

CVE-2026-4148 is a use-after-free vulnerability (CWE-416) affecting MongoDB sharded clusters. It can be triggered when an authenticated user with the read role issues a specially crafted $lookup or $graphLookup aggregation pipeline. The vulnerability was published on 2026-03-17 and has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

An attacker requires network access and an authenticated account with only the read role to exploit this vulnerability remotely with low complexity and no user interaction. Successful exploitation can result in high impacts to confidentiality, integrity, and availability, potentially allowing arbitrary code execution or other severe consequences typical of use-after-free flaws.

Mitigation details are available in the referenced MongoDB advisory at https://jira.mongodb.org/browse/SERVER-119319.