Cyber Resilience

CVE-2026-8431

CriticalRCE

Published: 12 May 2026

Published
12 May 2026
Modified
13 May 2026
KEV Added
Patch
CVSS Score v4 9.4 CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0037 29.1th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-8431 is a critical-severity Command Injection (CWE-77) vulnerability in Mongodb Ops Manager (inferred from references). Its CVSS base score is 9.4 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 29.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

An administrative user with access to configure webhooks can execute arbitrary commands by configuring and then triggering webhooks containing specific FreeMarker template syntax.  This issue affects all MongoDB Ops Manager 7.0 versions and MongoDB Ops Manager versions 8.0.22 and prior.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059 Command and Scripting Interpreter Execution
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
Why these techniques?

Admin-accessible webhook config with FreeMarker template injection directly enables RCE (T1059) on the Ops Manager server; the management app is commonly exposed, mapping to T1190.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-44869Shared CWE-77
CVE-2026-44866Shared CWE-77
CVE-2025-57685Shared CWE-77
CVE-2025-60021Shared CWE-77
CVE-2026-2333Shared CWE-77
CVE-2025-67728Shared CWE-77
CVE-2025-24818Shared CWE-77
CVE-2024-54794Shared CWE-77
CVE-2025-60801Shared CWE-77
CVE-2025-55294Shared CWE-77

Affected Assets

Mongodb
Ops Manager
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References