Cyber Resilience

CVE-2026-9753

HighUpdated

Published: 09 June 2026

Published
09 June 2026
Modified
18 June 2026
KEV Added
Patch
CVSS Score v4 7.2 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0030 21.5th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-9753 is a high-severity Improper Validation of Specified Type of Input (CWE-1287) vulnerability in Mongodb Mongodb. Its CVSS base score is 7.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 21.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

The $_internalApplyOplogUpdate aggregation pipeline stage can be used to execute a document diff containing a malformed binary diff to return memory out-of-bounds or crash the server. $_internalApplyOplogUpdate can be executed by any authenticated user with access to the aggregate command.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Authenticated aggregate command abuse triggers OOB write/crash via malformed oplog diff, directly enabling application-layer DoS.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

Affected Assets

mongodb
mongodb
≤ 7.0.35 · 8.0.0 — 8.0.24 · 8.2.0 — 8.2.10

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-787

Out-of-bounds writes that corrupt control flow or inject shellcode are rendered non-executable by the same memory protections.

References