CVE-2026-9747 Overview
CVE-2026-9747 is a denial-of-service vulnerability in MongoDB Server. An authenticated attacker can crash the mongod process by submitting an aggregation pipeline that combines the fromRouter:true flag with runtimeConstants.userRoles. The defect maps to [CWE-617: Reachable Assertion], where untrusted input reaches an internal invariant check and forces the server to terminate.
The issue requires network access and low-privilege authentication. It does not expose data confidentiality or integrity, but the affected aggregation path is reachable through standard MongoDB client traffic. Public tracking is available via the MongoDB Issue Tracker Entry.
Critical Impact
A low-privileged authenticated user can crash a MongoDB server instance with a single crafted aggregation command, breaking database availability for all dependent applications.
Affected Products
- MongoDB Server (see MongoDB Issue Tracker Entry for affected branches)
- Deployments exposing the aggregation framework to authenticated clients
- Sharded clusters where router-originated commands are processed by mongod
Discovery Timeline
- 2026-06-09 - CVE-2026-9747 published to NVD
- 2026-06-10 - Last updated in NVD database
Technical Details for CVE-2026-9747
Vulnerability Analysis
The flaw resides in MongoDB's aggregation command processing. When a client submits an aggregation request that sets fromRouter:true together with runtimeConstants.userRoles, the server reaches a code path that violates an internal assertion. The assertion fires, the invariant check fails, and the mongod process aborts.
fromRouter is intended for mongos to identify itself to shard members during request routing. runtimeConstants is an internal mechanism used by the router to propagate execution context, including the requesting user's roles. Mixing these two router-originated parameters in a single client request creates an unexpected state that the server does not handle gracefully.
The vulnerability is categorized as a denial-of-service issue. It does not result in code execution or data disclosure, but the resulting crash terminates active sessions and forces failover or restart procedures. EPSS data indicates a low predicted exploitation likelihood at the time of publication.
Root Cause
The root cause is improper input validation on aggregation command parameters that were designed for internal router-to-shard communication. The server trusts the combination of fromRouter and runtimeConstants.userRoles instead of rejecting it when supplied by an ordinary client, leading to a reachable assertion as defined by [CWE-617].
Attack Vector
Exploitation requires an authenticated session with permission to issue aggregation queries against any database. The attacker submits a single aggregation command that includes fromRouter:true and a runtimeConstants.userRoles value. The crash is deterministic, repeatable, and triggered remotely over the standard MongoDB wire protocol. Refer to the MongoDB Issue Tracker Entry for the reproducer and patch references.
Detection Methods for CVE-2026-9747
Indicators of Compromise
- Unexpected mongod process termination with assertion or invariant failure messages in mongod.log
- Aggregation commands from non-router clients containing both fromRouter:true and a runtimeConstants field
- Repeated client reconnects following abrupt cluster member shutdowns
Detection Strategies
- Audit MongoDB profiler and slow query logs for aggregation commands that include fromRouter or runtimeConstants fields originating from non-mongos source addresses
- Alert on mongod exits with non-zero status combined with assertion strings such as invariant or fassert in log output
- Correlate authentication events with subsequent server crashes to identify the originating user account
Monitoring Recommendations
- Forward MongoDB audit and diagnostic logs to a centralized analytics platform and trigger on assertion failures
- Track aggregation command volume per authenticated user to flag anomalies
- Monitor replica set elections and primary stepdowns as secondary signals of repeated crashes
How to Mitigate CVE-2026-9747
Immediate Actions Required
- Apply the MongoDB patch referenced in the MongoDB Issue Tracker Entry as soon as it is available for your release branch
- Restrict aggregation privileges to roles that require them and revoke broad readAnyDatabase grants where not necessary
- Place MongoDB behind network controls so only application servers and trusted mongos instances can connect
Patch Information
MongoDB tracks the fix in ticket SERVER-123918. Consult the MongoDB Issue Tracker Entry for fix versions and upgrade guidance applicable to your deployment.
Workarounds
- Use a proxy or driver-level filter to strip fromRouter and runtimeConstants fields from client-supplied aggregation commands
- Rotate credentials for any accounts that should not have aggregation rights and enforce least-privilege role assignments
- Enable client certificate authentication and source-IP allowlisting to reduce the population of users able to reach the aggregation surface
# Configuration example: restrict access and audit aggregation usage in mongod.conf
security:
authorization: enabled
auditLog:
destination: file
format: JSON
path: /var/log/mongodb/audit.json
filter: '{ atype: "authCheck", "param.command": "aggregate" }'
net:
bindIp: 127.0.0.1,10.0.0.0/8
tls:
mode: requireTLS
CAFile: /etc/ssl/mongodb-ca.pem
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
