CVE-2026-11933 Overview
CVE-2026-11933 is a use-after-free vulnerability in MongoDB Server's server-side JavaScript engine. The flaw occurs when the engine converts Binary JSON (BSON) documents into JavaScript arrays. An authenticated user with read privileges who can execute server-side JavaScript through operators such as $where or $function can trigger access to freed memory.
Successful exploitation can leak information from the mongod process address space or crash the server, resulting in denial of service. The issue is tracked upstream as MongoDB Jira Issue SERVER-128125 and is classified under CWE-787.
Critical Impact
An authenticated attacker with read access and server-side JavaScript privileges can disclose mongod process memory or crash the database server.
Affected Products
- MongoDB Server with server-side JavaScript execution enabled
- Deployments permitting $where query operators
- Deployments permitting $function aggregation expressions
Discovery Timeline
- 2026-06-12 - CVE-2026-11933 published to the National Vulnerability Database (NVD)
- 2026-06-17 - Last updated in the NVD database
- 2026-06-18 - Exploit Prediction Scoring System (EPSS) data recorded
Technical Details for CVE-2026-11933
Vulnerability Analysis
The vulnerability resides in the BSON-to-JavaScript array conversion logic inside MongoDB's embedded JavaScript engine. When the server processes a query containing a $where clause or an aggregation pipeline using $function, it serializes BSON documents into native JavaScript objects for evaluation.
During this conversion, a referenced memory region is freed while a JavaScript handle still points to it. Subsequent operations on the dangling handle read or write reclaimed memory. Depending on the allocator state, the attacker either receives uninitialized data from the mongod heap or causes a segmentation fault that terminates the process.
The authentication requirement limits exposure to users who already hold at least read privileges. However, MongoDB roles such as read or readAnyDatabase typically include the ability to issue $where and $function operations unless explicitly restricted.
Root Cause
The root cause is a lifetime management defect between the BSON object backing store and the JavaScript wrapper that exposes its elements. The wrapper retains a raw pointer after the underlying buffer is released, violating ownership invariants between the C++ runtime and the JavaScript engine.
Attack Vector
The attack is network-reachable and requires low privileges with no user interaction. An authenticated client submits a crafted query or aggregation that forces the engine to allocate, convert, and free a BSON-backed array in a specific sequence. The triggering payload is a standard MongoDB wire-protocol request, so no special client tooling is required.
The vulnerability manifests during normal query evaluation. See MongoDB Jira Issue SERVER-128125 for upstream technical details.
Detection Methods for CVE-2026-11933
Indicators of Compromise
- Unexpected mongod process crashes or restarts correlated with client query activity
- Audit log entries showing repeated $where or $function invocations from a single authenticated user
- Segmentation fault signals (SIGSEGV) recorded in MongoDB diagnostic logs
- Anomalous BSON payloads containing nested arrays submitted by low-privilege accounts
Detection Strategies
- Enable MongoDB auditing and alert on heavy use of $where and $function operators by non-administrative roles
- Monitor mongod exit codes and core dumps for crash patterns consistent with heap corruption
- Inspect application telemetry for queries that embed user-controlled JavaScript expressions
Monitoring Recommendations
- Forward MongoDB audit and diagnostic logs to a centralized analytics platform for correlation
- Track per-user query operator frequency and flag deviations from baseline behavior
- Alert on repeated client disconnects that coincide with database process restarts
How to Mitigate CVE-2026-11933
Immediate Actions Required
- Disable server-side JavaScript execution if it is not required by the application by setting security.javascriptEnabled to false
- Revoke or restrict roles that permit $where and $function usage to trusted administrative accounts
- Review existing role assignments and remove unnecessary read privileges on production clusters
Patch Information
Refer to MongoDB Jira Issue SERVER-128125 for the fixed release versions and upgrade guidance. Apply the vendor-supplied update to all replica set members and shard nodes, then perform a rolling restart.
Workarounds
- Set security.javascriptEnabled: false in mongod.conf to prevent server-side JavaScript evaluation
- Use custom roles that exclude $where and $function permissions for application service accounts
- Place MongoDB behind network controls that restrict client access to vetted application tiers
# Configuration example: disable server-side JavaScript in mongod.conf
security:
authorization: enabled
javascriptEnabled: false
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

