CVE-2026-8843
published 2026-05-18CVE-2026-8843: Creating a "2dsphere_bucket" index on a non-timeseries bucket collection will succeed, but any subsequent attempt to insert a document which triggers updating…
PriorityP336medium6.5CVSS 3.1
AVNACLPRLUINSUCNINAH
EPSS
0.24%
14.2th percentile
Creating a "2dsphere_bucket" index on a non-timeseries bucket collection will succeed, but any subsequent attempt to insert a document which triggers updating that index will crash the server. A similar issue occurs when creating "queryable_encrypted_range" indices.
This issue affects MongoDB Server v7.0 versions prior to 7.0.32, v8.0 versions prior to 8.0.21 and v8.2 versions prior to 8.2.6
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| mongodb_inc | mongodb_server | >= 7.0 < 7.0.32 | 7.0.32 |
| mongodb_inc | mongodb_server | >= 8.0 < 8.0.21 | 8.0.21 |
| mongodb_inc | mongodb_server | >= 8.2 < 8.2.6 | 8.2.6 |
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
nvdv4.07.1HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
MongoDB Server up to 7.0.31/8.0.20/8.2.5 2dsphere_bucket Index assertion
vuldb·2026-05-18·CVSS 7.1
CVE-2026-8843 [HIGH] MongoDB Server up to 7.0.31/8.0.20/8.2.5 2dsphere_bucket Index assertion
A vulnerability was found in MongoDB Server up to 7.0.31/8.0.20/8.2.5. It has been classified as problematic. Affected is an unknown function of the component 2dsphere_bucket Index Handler. This manipulation causes reachable assertion.
This vulnerability is registered as CVE-2026-8843. Remote exploitation of the attack is possible. No exploit is available.
Upgrading the affected component is recommended.
GHSA
GHSA-v7q4-vccc-3jxg: Creating a "2dsphere_bucket" index on a non-timeseries bucket collection will succeed, but any subsequent attempt to insert a document which triggers
ghsa_unreviewed·2026-05-18
CVE-2026-8843 [HIGH] CWE-617 GHSA-v7q4-vccc-3jxg: Creating a "2dsphere_bucket" index on a non-timeseries bucket collection will succeed, but any subsequent attempt to insert a document which triggers
Creating a "2dsphere_bucket" index on a non-timeseries bucket collection will succeed, but any subsequent attempt to insert a document which triggers updating that index will crash the server. A similar issue occurs when creating "queryable_encrypted_range" indices.
This issue affects MongoDB Server v7.0 versions prior to 7.0.32, v8.0 versions prior to 8.0.21 and v8.2 versions prior to 8.2.6
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-05-18
Published