CVE-2026-8202

4.3 MEDIUM

Using a densely populated chars mask and a large input string in the MongoDB aggregation operators $trim, $ltrim, and $rtrim, an authenti...

Published: 2026-05-13 · Last updated: 2026-05-18

Severity and scoring

CVSS: 4.3 MEDIUM
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
CWE: CWE-770

Affected products

Vendor	Product
mongodb	mongodb

Description

Using a densely populated chars mask and a large input string in the MongoDB aggregation operators $trim, $ltrim, and $rtrim, an authenticated user with aggregation permissions can pin CPU utilization at 100% for an extended period of time. This issue impacts MongoDB Server v7.0 versions prior to 7.0.34, v8.0 versions prior to 8.0.23, v8.2 versions prior to 8.2.9 and v8.3 versions prior to 8.3.2.

Source: NVD

References

[NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-8202
[Vendor advisory]https://jira.mongodb.org/browse/SERVER-120668

Related CVEs

Same vendor

CVE-2026-8336 — After invoking $_internalJsEmit, which is not intended to be directly accessible, or mapreduce command’s map function in a certain way, a... (7.5 HIGH)
CVE-2026-8200 — When schema validation is enabled on a collection and an update or insert would violate the collection's schema, the local server log mes... (2.7 LOW)
CVE-2026-8053 — An issue in MongoDB Server's time-series collection implementation allows an authenticated user with database write privileges to trigger... (8.8 HIGH)

Same CWE

CVE-2026-53460 — ImageMagick is free and open-source software used for editing and manipulating digital images (7.5 HIGH)
CVE-2026-46702 — Russh is a Rust SSH client & server library (7.5 HIGH)
CVE-2026-46673 — Russh is a Rust SSH client & server library (7.5 HIGH)
CVE-2026-45031 — ImageMagick is free and open-source software used for editing and manipulating digital images (5.3 MEDIUM)
CVE-2026-10740 — Unbounded memory allocation in the CRYPTO frame reassembler in s2n-quic before 1.8.2 may allow an unauthenticated remote actor to cause a... (5.3 MEDIUM)