CVE-2026-8202 Overview
CVE-2026-8202 is a resource exhaustion vulnerability in MongoDB Server affecting the $trim, $ltrim, and $rtrim aggregation operators. An authenticated user with aggregation permissions can submit a densely populated chars mask combined with a large input string to drive CPU utilization to 100% for an extended period. The flaw is classified under CWE-770: Allocation of Resources Without Limits or Throttling.
The vulnerability impacts MongoDB Server v7.0 versions prior to 7.0.34, v8.0 versions prior to 8.0.23, v8.2 versions prior to 8.2.9, and v8.3 versions prior to 8.3.2.
Critical Impact
Authenticated attackers can degrade or deny database service by pinning CPU at 100%, impacting availability for all tenants of the affected MongoDB instance.
Affected Products
- MongoDB Server 7.0 prior to 7.0.34
- MongoDB Server 8.0 prior to 8.0.23
- MongoDB Server 8.2 prior to 8.2.9 and 8.3 prior to 8.3.2
Discovery Timeline
- 2026-05-13 - CVE-2026-8202 published to NVD
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-8202
Vulnerability Analysis
The vulnerability is a Denial of Service (DoS) condition triggered through MongoDB's aggregation framework. The $trim, $ltrim, and $rtrim operators remove characters from the beginning, end, or both sides of a string when those characters match any element in a supplied chars mask. The internal matching algorithm exhibits unbounded computational cost when the mask is densely populated and the input string is large.
An authenticated user with aggregation privileges issues a crafted pipeline that forces the server to perform an excessive number of character comparisons. The query thread saturates a CPU core for a prolonged duration. Because MongoDB executes aggregations on shared worker threads, sustained 100% CPU consumption starves concurrent queries and degrades overall database responsiveness.
The EPSS score is 0.032%, reflecting low observed exploitation probability, but the low complexity and authenticated-only requirement make abuse plausible in multi-tenant environments.
Root Cause
The root cause is missing throttling and complexity control in the trim operator implementation [CWE-770]. The character-matching logic does not bound the work performed relative to input size or mask density, allowing a single query to monopolize CPU resources.
Attack Vector
The attack vector is network-based against the MongoDB query interface. An attacker must hold valid credentials with permissions to run aggregation pipelines on at least one collection. The attacker submits a $trim, $ltrim, or $rtrim stage containing a long input string and a chars parameter densely populated with distinct characters. The server consumes CPU until the operation completes or is killed by an administrator.
No verified public exploit code is available. Technical context is documented in the MongoDB Jira Issue SERVER-120668.
Detection Methods for CVE-2026-8202
Indicators of Compromise
- Sustained 100% CPU utilization on mongod processes correlated to specific aggregation queries
- Slow query log entries referencing $trim, $ltrim, or $rtrim stages with unusually large chars parameters
- currentOp output showing long-running aggregation operations from a single authenticated user
- Increased query latency or timeouts on collections targeted by aggregation pipelines
Detection Strategies
- Enable MongoDB profiling at level 1 or 2 and alert on aggregation pipelines exceeding expected execution time thresholds
- Parse mongod.log for entries containing $trim, $ltrim, or $rtrim with chars argument length above a baseline threshold
- Correlate authenticated session activity with host-level CPU saturation events to identify abusive accounts
Monitoring Recommendations
- Track per-user query cost and command counts to surface anomalous aggregation workloads
- Monitor db.serverStatus() metrics including opcounters and connection-level CPU time
- Configure alerts when mongod CPU exceeds 90% for more than a defined window
How to Mitigate CVE-2026-8202
Immediate Actions Required
- Upgrade MongoDB Server to 7.0.34, 8.0.23, 8.2.9, 8.3.2, or later as appropriate for your branch
- Audit users granted the read or custom roles that include aggregation privileges and remove unnecessary access
- Set maxTimeMS defaults on application-side aggregation calls to bound long-running operations
Patch Information
MongoDB has released fixed versions across all supported branches. Patch details and tracking are available in MongoDB Jira Issue SERVER-120668. Upgrade to the corresponding fixed minor version for your deployment branch.
Workarounds
- Restrict aggregation permissions to trusted service accounts until patching is complete
- Apply a global maxTimeMS operation timeout to terminate runaway queries automatically
- Use the killOp command to terminate aggregation operations that exceed CPU or duration thresholds
# Apply an operation timeout when issuing aggregation queries
mongosh --eval 'db.collection.aggregate([{ $project: { trimmed: { $trim: { input: "$field", chars: " \t\n" } } } }], { maxTimeMS: 5000 })'
# Identify and kill long-running aggregation operations
mongosh --eval 'db.currentOp({ "op": "command", "secs_running": { $gt: 30 } }).inprog.forEach(o => db.killOp(o.opid))'
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
