Cyber Resilience

CVE-2026-8053

High

Published: 13 May 2026

Published
13 May 2026
Modified
18 May 2026
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0057 43.0th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-8053 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Mongodb Mongodb. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 43.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

An issue in MongoDB Server's time-series collection implementation allows an authenticated user with database write privileges to trigger an out-of-bounds memory write in the mongod process. The issue results from an inconsistency in the internal field-name-to-index mapping within the time-series…

more

bucket catalog. Under certain conditions this can result in arbitrary code execution. This issue impacts MongoDB Server v5.0 versions prior to 5.0.33, v6.0 versions prior to 6.0.28, v7.0 versions prior to 7.0.34, v8.0 versions prior to 8.0.23, v8.2 versions prior to 8.2.9 and v8.3 versions prior to 8.3.2.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
Why these techniques?

Out-of-bounds write (CWE-787) in mongod directly enables remote exploitation for privilege escalation and RCE on a database server.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-4148Same product: Mongodb Mongodb
CVE-2025-14847Same product: Mongodb Mongodb
CVE-2026-1848Same product: Mongodb Mongodb
CVE-2026-4358Same product: Mongodb Mongodb
CVE-2026-8336Same product: Mongodb Mongodb
CVE-2026-1850Same product: Mongodb Mongodb
CVE-2026-8201Same product: Mongodb Mongodb
CVE-2026-1849Same product: Mongodb Mongodb
CVE-2026-1847Same product: Mongodb Mongodb
CVE-2025-0755Same product: Mongodb Mongodb

Affected Assets

mongodb
mongodb
5.0.0 — 5.0.33 · 6.0.0 — 6.0.28 · 7.0.0 — 7.0.34

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-787

Out-of-bounds writes that corrupt control flow or inject shellcode are rendered non-executable by the same memory protections.

References