CVE-2026-8843 Overview
CVE-2026-8843 is a denial-of-service vulnerability in MongoDB Server affecting how the database handles specialized index types on incompatible collections. Creating a 2dsphere_bucket index on a non-timeseries bucket collection succeeds without error, but any subsequent document insert that triggers an index update crashes the server process. The same condition affects queryable_encrypted_range indices. The flaw is tracked under [CWE-617: Reachable Assertion] and requires only low-privileged authenticated access to exploit. An attacker with write permissions can reliably terminate the mongod process, disrupting database availability across all hosted applications.
Critical Impact
Authenticated low-privilege users can crash MongoDB Server instances by creating an invalid index and inserting a document, producing a denial-of-service condition that affects availability of all hosted databases.
Affected Products
- MongoDB Server v7.0 versions prior to 7.0.32
- MongoDB Server v8.0 versions prior to 8.0.21
- MongoDB Server v8.2 versions prior to 8.2.6
Discovery Timeline
- 2026-05-18 - CVE-2026-8843 published to NVD
- 2026-05-18 - Last updated in NVD database
Technical Details for CVE-2026-8843
Vulnerability Analysis
The vulnerability resides in MongoDB Server's index validation logic. MongoDB exposes specialized internal index types, including 2dsphere_bucket and queryable_encrypted_range, which are designed for use with specific collection types such as timeseries bucket collections. The server fails to reject creation of these indices when the target collection is not a valid bucket collection. The invalid index persists in metadata without immediate consequence.
The crash occurs when a document insert triggers an index update against the malformed index. The server reaches an assertion that was not designed to be triggered through normal user input, causing mongod to terminate. This matches the [CWE-617] pattern of a reachable assertion converting an invalid state into a process abort.
Root Cause
The root cause is missing input validation during index creation. MongoDB does not verify that the collection type matches the requirements of the requested index variant. The assertion that protects internal invariants during index updates is therefore reachable from an authenticated user session that holds standard write privileges on a target collection.
Attack Vector
Exploitation requires network access to the MongoDB instance and authenticated credentials with permission to create indices and insert documents. The attacker creates a collection, issues an index creation command specifying 2dsphere_bucket or queryable_encrypted_range, and then inserts a document that triggers the index update path. The mongod process terminates, denying service to all clients connected to that instance. The vulnerability described in MongoDB Issue SERVER-116327 does not allow code execution or data disclosure.
Detection Methods for CVE-2026-8843
Indicators of Compromise
- Unexpected mongod process terminations correlated with recent createIndex operations referencing 2dsphere_bucket or queryable_encrypted_range types.
- MongoDB audit log entries showing index creation with these specialized types on collections that are not timeseries bucket collections.
- Repeated client connection failures or replica set primary step-downs immediately following insert operations on collections with newly created indices.
Detection Strategies
- Query the MongoDB system catalog for indices of type 2dsphere_bucket or queryable_encrypted_range on non-timeseries collections and flag any matches for review.
- Enable MongoDB auditing for createIndex events and alert when specialized internal index types are requested by non-administrative accounts.
- Correlate mongod crash events with the preceding command stream to identify the triggering insert and originating client.
Monitoring Recommendations
- Monitor MongoDB server logs for assertion failures and abnormal process exits using a centralized logging platform.
- Track index creation events across all replica set members and sharded clusters to detect unauthorized schema modifications.
- Establish alerting on database availability metrics so that crash-driven outages are surfaced within seconds.
How to Mitigate CVE-2026-8843
Immediate Actions Required
- Upgrade MongoDB Server to version 7.0.32, 8.0.21, or 8.2.6 or later as appropriate for your deployment branch.
- Audit existing collections for indices of type 2dsphere_bucket or queryable_encrypted_range on non-timeseries collections and drop any that should not exist.
- Review role assignments and remove createIndex privileges from accounts that do not require schema modification.
Patch Information
MongoDB has released fixed builds in versions 7.0.32, 8.0.21, and 8.2.6. The patches add validation that rejects creation of 2dsphere_bucket and queryable_encrypted_range indices on incompatible collection types. Refer to MongoDB Issue SERVER-116327 for the upstream fix details and changelog references.
Workarounds
- Restrict the createIndex action to trusted administrative roles using MongoDB role-based access control until patching is complete.
- Deploy MongoDB instances behind network controls that limit client access to known application hosts.
- Configure replica sets with sufficient secondary members so that a single crashed primary does not result in extended outage.
# Verify MongoDB Server version and check for vulnerable indices
mongosh --eval 'db.version()'
mongosh --eval 'db.adminCommand({listDatabases:1}).databases.forEach(function(d){db.getSiblingDB(d.name).getCollectionNames().forEach(function(c){db.getSiblingDB(d.name).getCollection(c).getIndexes().forEach(function(i){if(i["2dsphere_bucket"]||i["queryable_encrypted_range"]){print(d.name+"."+c+": "+i.name)}})})})'
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
