CVE-2026-4148 — Use After Free in INC Mongodb Server

CWE-416 — Use After Free5 documents5 sources

Severity

8.7HIGHNVD

EPSS

0.1%

top 84.61%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mongodb INC Mongodb Server Mongodb

Timeline

PublishedMar 17

Description

A use-after-free vulnerability can be triggered in sharded clusters by an authenticated user with the read role who issues a specially crafted $lookup or $graphLookup aggregation pipeline.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Affected Packages2 packages

▶NVDmongodb/mongodb7.0.0 — 7.0.31+3

▶CVEListV5mongodb_inc/mongodb_server8.2 — 8.2.6+2

Patches

Patch: jira.mongodb.org ↗

🔴Vulnerability Details

CVEList

ExpressionContext use-after-free in classic engine $lookup and $graphLookup aggregation operators↗2026-03-17

▶

OSV

CVE-2026-4148: A use-after-free vulnerability can be triggered in sharded clusters by an authenticated user with the read role who issues a specially crafted $lookup↗2026-03-17

▶

GHSA

GHSA-5rch-679r-cv33: A use-after-free vulnerability can be triggered in sharded clusters by an authenticated user with the read role who issues a specially crafted $lookup↗2026-03-17

▶

🕵️Threat Intelligence

Wiz

CVE-2026-4148 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶