Description

After invoking $_internalJsEmit, which is not intended to be directly accessible, or mapreduce command’s map function in a certain way, an authenticated user can subsequently crash mongod when the server-side JavaScript engine (through $where, $function, mapreduce reduce stage, etc.) is used also in a specific way, resulting in a post-authentication denial-of-service. This issue impacts MongoDB Server v8.2 versions prior to 8.2.9 and v8.3 versions prior to 8.3.2.

Remediation

References

CVE-2026-8336

Related Vulnerabilities

WordPress Plugin Parsi Date Cross-Site Scripting (4.0.1)

Liferay Portal Cross-Site Request Forgery (CSRF) Vulnerability (CVE-2023-35030)

Jetty Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2021-28169)

Moodle Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2020-25702)

SharePoint Deserialization of Untrusted Data Vulnerability (CVE-2025-30378)

Severity

Medium

Classification

CVE-2026-8336 CWE-416 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Tags

Missing Update Known Vulnerabilities