CVE-2026-8063

MEDIUM

6.5CVSS v3

—CVSS v2

0.05% EPSS (exploit probability)

CWE-476CWE

Description

An authenticated user can crash mongod when running $rankFusion or $scoreFusion with an empty pipeline on a view.

When resolving a view, the server inspects the aggregation pipeline to determine whether it begins with an Atlas Search stage. For $rankFusion and $scoreFusion, this inspection reads the first element on each stage’s input pipeline array without first verifying that the array is non-empty. Supplying an empty pipeline causes a null pointer dereference and crashes the server.

This issue affects MongoDB Server 8.2 versions prior to 8.2.7.

CVSS v3 vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Affected routers (0)

No routers currently mapped to this CVE in our database.

External references

NIST NVD
MITRE CVE