CVE-2026-8336 Overview
CVE-2026-8336 is a post-authentication denial-of-service vulnerability in MongoDB Server. An authenticated user can crash mongod by invoking $_internalJsEmit, which is not intended to be directly accessible, or by abusing the mapreduce command's map function. The crash occurs when the server-side JavaScript engine is subsequently used through operators such as $where, $function, or the mapreduce reduce stage. The flaw is rooted in a use-after-free condition [CWE-416] within the JavaScript execution path. MongoDB Server v8.2 versions prior to 8.2.9 and v8.3 versions prior to 8.3.2 are affected.
Critical Impact
An authenticated attacker with low privileges can trigger a server crash, causing a denial-of-service condition that disrupts database availability for all connected clients.
Affected Products
- MongoDB Server v8.2 prior to 8.2.9
- MongoDB Server v8.3 prior to 8.3.2
- Deployments exposing server-side JavaScript operators ($where, $function, mapreduce)
Discovery Timeline
- 2026-05-13 - CVE-2026-8336 published to NVD
- 2026-05-15 - Last updated in NVD database
Technical Details for CVE-2026-8336
Vulnerability Analysis
The vulnerability resides in MongoDB's server-side JavaScript execution subsystem. MongoDB exposes JavaScript evaluation through operators including $where, $function, and the mapreduce command's map and reduce stages. The internal function $_internalJsEmit is intended for use only within the server's internal map-emit pipeline and is not a publicly supported API.
When an authenticated user invokes $_internalJsEmit directly, or supplies a crafted map function to the mapreduce command, the server enters an inconsistent state. A subsequent operation that re-enters the JavaScript engine through $where, $function, or the mapreduce reduce stage dereferences memory that has already been released. This use-after-free condition [CWE-416] causes mongod to terminate.
Root Cause
The root cause is improper lifetime management of internal JavaScript engine objects. State established during the initial misuse of $_internalJsEmit or the map function leaves dangling references. The next JavaScript-backed query operation accesses those freed structures, producing the crash. The issue is tracked publicly in MongoDB JIRA Ticket SERVER-121610.
Attack Vector
Exploitation requires network access to the MongoDB instance and valid authentication credentials with permission to execute queries that invoke JavaScript. The attacker first issues a query containing $_internalJsEmit or a malformed mapreduce map function. The attacker then issues a follow-up query that triggers the JavaScript engine. The second query crashes the mongod process, terminating all active connections and halting database service until the process is restarted.
No verified public proof-of-concept code is available. Refer to the vendor ticket for technical reproduction details.
Detection Methods for CVE-2026-8336
Indicators of Compromise
- Unexpected mongod process crashes or restart loops correlated with authenticated user query activity
- Audit log entries containing $_internalJsEmit issued by client sessions
- mapreduce commands followed shortly by $where or $function queries that precede a fatal signal in the MongoDB log
- Sudden loss of client connections accompanied by server stack traces referencing the JavaScript scope or interpreter
Detection Strategies
- Enable MongoDB auditing and filter for command payloads referencing $_internalJsEmit, since legitimate clients should never use this internal symbol
- Correlate mongod crash events with the preceding authenticated session's command history to identify the originating user
- Monitor query telemetry for sequences combining mapreduce and JavaScript operators originating from the same authenticated principal
Monitoring Recommendations
- Ship MongoDB audit logs and mongod crash logs to a centralized analytics platform for correlation across instances
- Alert on repeated abnormal terminations of mongod within a short window across a replica set
- Track per-user usage of server-side JavaScript operators and flag privileged accounts that begin executing mapreduce or $where unexpectedly
How to Mitigate CVE-2026-8336
Immediate Actions Required
- Upgrade MongoDB Server v8.2 deployments to 8.2.9 or later, and v8.3 deployments to 8.3.2 or later
- Audit existing role assignments and remove JavaScript-execution privileges from accounts that do not require them
- Review application code to confirm no client legitimately calls $_internalJsEmit, then alert on any future occurrences
Patch Information
MongoDB has resolved the issue in MongoDB Server 8.2.9 and 8.3.2. Apply the corresponding fixed release for your major version. Track the upstream fix and additional engineering context through MongoDB JIRA Ticket SERVER-121610.
Workarounds
- Disable server-side JavaScript by starting mongod with --noscripting or setting security.javascriptEnabled: false where applications do not require $where, $function, or mapreduce
- Restrict network exposure of MongoDB to trusted application tiers and enforce least-privilege role-based access control
- Limit mapreduce and JavaScript operator usage to dedicated service accounts that are tightly monitored
# Configuration example: disable server-side JavaScript in mongod.conf
security:
authorization: enabled
javascriptEnabled: false
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
