Detections
Analytics
MongoDB 7.0.x < 7.0.35 / 8.0.x < 8.0.24 / 8.2.x < 8.2.10 / 8.3.x < 8.3.3 Multiple Vulnerabilities
high Nessus Plugin ID 320792
Synopsis
The remote host is missing a security update.Description
The version of MongoDB installed on the remote host is 7.0.x prior to 7.0.35, 8.0.x prior to 8.0.24, 8.2.x prior to 8.2.10, or 8.3.x prior to 8.3.3. It is, therefore, affected by multiple vulnerabilities:- The $_internalApplyOplogUpdate aggregation pipeline stage can be used to execute a document diff containing a malformed binary diff to return memory out-of-bounds or crash the server. $_internalApplyOplogUpdate can be executed by any authenticated user with access to the aggregate command. (CVE-2026-9753)
- A vulnerability in MongoDB Server's BSON validation logic allows an unauthenticated user to crash the mongod process by sending a specially crafted message. The BSON validator's handling of certain nested binary data structures permits uncontrolled mutual recursion between validation functions, where each re-entry resets internal depth tracking. (CVE-2026-9740)
- When using $changestreams and $_requestReshardingResumeToken with the exchange option the server hits an invariant which causes the server to crash. There are no special privileges needed. The user must be logged in to issue the statement. (CVE-2026-9746)
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.
Solution
Upgrade to MongoDB version 7.0.35, 8.0.24, 8.2.10, or 8.3.3 or later.See Also
https://jira.mongodb.org/browse/SERVER-123951
https://jira.mongodb.org/browse/SERVER-124031
https://jira.mongodb.org/browse/SERVER-124190
Plugin Details
Severity: High
ID: 320792
File Name: mongodb_server_SERVER-124031.nasl
Version: 1.1
Type: Combined
Agent: windows, macosx, unix
Family: Databases
Published: 6/12/2026
Updated: 6/12/2026
Configuration: Enable thorough checks (optional)
Supported Sensors: Nessus Agent, Nessus
Risk Information
VPR
Risk Factor: Medium
Score: 6.0
CVSS v2
Risk Factor: High
Base Score: 8.5
Vector: CVSS2#AV:N/AC:L/Au:S/C:C/I:N/A:C
CVSS Score Source: CVE-2026-9753
CVSS v3
Risk Factor: High
Base Score: 8.1
Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
CVSS v4
Risk Factor: High
Base Score: 7.2
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N
Vulnerability Information
CPE: cpe:/a:mongodb:mongodb
Required KB Items: installed_sw/MongoDB
Patch Publication Date: 6/9/2026
Vulnerability Publication Date: 6/9/2026
Reference Information
CVE: CVE-2026-9740, CVE-2026-9746, CVE-2026-9748, CVE-2026-9749, CVE-2026-9753
IAVA: 2026-A-0590