CVE-2026-1849 Overview
CVE-2026-1849 affects MongoDB Server, where evaluating expressions that produce deeply nested documents can trigger an out-of-memory failure. The server uses recursive functions to evaluate these expressions but does not periodically check the depth of the expression. An authenticated attacker with low privileges can submit crafted queries over the network to exhaust memory and crash the database process. The flaw is categorized under [CWE-674] Uncontrolled Recursion and results in a denial-of-service condition against the database availability.
Critical Impact
Authenticated network attackers can crash MongoDB Server instances by submitting expressions that recursively produce deeply nested documents, exhausting memory and disrupting database availability.
Affected Products
- MongoDB Server (vendor: mongodb)
- Deployments exposing query interfaces to authenticated users
- Instances permitting aggregation expressions from low-privilege accounts
Discovery Timeline
- 2026-02-10 - CVE-2026-1849 published to the National Vulnerability Database (NVD)
- 2026-02-25 - Last updated in NVD database
Technical Details for CVE-2026-1849
Vulnerability Analysis
The vulnerability resides in MongoDB Server's expression evaluation engine. When the server processes expressions that generate deeply nested document structures, it invokes recursive functions to walk and materialize each layer. The recursion path lacks periodic depth checks, allowing a single crafted expression to drive memory consumption upward without bound. As the recursion unwinds, the resulting document tree consumes heap memory until the operating system terminates the mongod process or the server aborts under memory pressure. The result is a denial-of-service condition against availability, while confidentiality and integrity are not affected.
Root Cause
The root cause is uncontrolled recursion [CWE-674] inside expression evaluation routines. The recursive functions that build nested documents do not validate or cap nesting depth between invocations. Without a guard that aborts evaluation when a configured depth threshold is reached, the server continues to allocate memory for each new nesting level until exhaustion.
Attack Vector
The attack vector is network-based and requires low privileges, meaning the attacker must hold a valid MongoDB account with permission to issue queries or aggregations. No user interaction is required. The attacker submits an aggregation or query expression that recursively produces nested objects or arrays, causing the server to allocate memory proportional to the nesting depth. Because the workload runs in mongod itself, a single malicious request can disrupt service for all tenants sharing that instance.
No public proof-of-concept code is available for CVE-2026-1849. For technical specifics, refer to the MongoDB Server Issue Tracker.
Detection Methods for CVE-2026-1849
Indicators of Compromise
- Unexpected mongod process crashes or restarts coinciding with high memory utilization on database hosts.
- Operating system out-of-memory (OOM) killer events targeting mongod in /var/log/messages or dmesg.
- MongoDB log entries showing aggregation or expression evaluation immediately before termination.
- Spikes in resident set size (RSS) for mongod followed by abrupt service unavailability.
Detection Strategies
- Enable MongoDB profiling and audit logs to capture expressions and aggregation pipelines submitted by low-privilege accounts.
- Alert on aggregation operations whose execution time or memory footprint exceeds historical baselines for the workload.
- Correlate authentication events with subsequent mongod crashes to identify which account submitted the triggering query.
Monitoring Recommendations
- Track mongod process memory, CPU, and restart counts through host-level telemetry.
- Monitor MongoDB serverStatus metrics, particularly mem.resident and metrics.commands.aggregate, for anomalies.
- Forward MongoDB diagnostic logs and host OOM events to a centralized SIEM for correlation across replicas.
How to Mitigate CVE-2026-1849
Immediate Actions Required
- Apply the vendor patch referenced in the MongoDB Server Issue Tracker once available for your release train.
- Audit MongoDB role assignments and remove unused or over-privileged accounts that can submit aggregation expressions.
- Restrict network exposure of mongod instances to trusted application tiers only.
Patch Information
MongoDB tracks the fix under issue SERVER-102364. Administrators should consult the MongoDB Server Issue Tracker for fixed version numbers corresponding to their deployment branch and apply the upgrade through standard rolling-restart procedures across replica set members.
Workarounds
- Enforce least privilege by limiting roles such as readWrite and custom aggregation roles to required namespaces only.
- Place a query proxy or application-layer validator in front of MongoDB to reject pipelines exceeding a sane nesting depth.
- Set operating system memory limits (cgroups, systemdMemoryMax) on mongod so a single failure is contained without affecting other host services.
- Monitor and rate-limit aggregation traffic from individual authenticated principals.
# Configuration example: constrain mongod memory via systemd to limit blast radius
sudo systemctl edit mongod.service
# Add the following override:
[Service]
MemoryMax=8G
MemoryHigh=7G
Restart=on-failure
RestartSec=10
# Reload and restart
sudo systemctl daemon-reload
sudo systemctl restart mongod
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
