SUMMARY

This is a critical fix to address CVE-2026-8053. Upgrade to MongoDB 8.3.2, 8.2.9, 8.0.23, 7.0.34, 6.0.28, 5.0.33.

ISSUE DESCRIPTION AND IMPACT

An issue in MongoDB Server's time-series collection implementation allows an authenticated user with database write privileges to trigger an out-of-bounds memory write in the mongod process. The issue results from an inconsistency in the internal field-name-to-index mapping within the time-series bucket catalog. Under certain conditions this can result in arbitrary code execution. We strongly recommend upgrading to a fixed version as soon as possible.

This issue affects MongoDB versions:

• MongoDB 8.3.0 through 8.3.1
• MongoDB 8.2.0 through 8.2.8
• MongoDB 8.0.0 through 8.0.22
• MongoDB 7.0.0 through 7.0.33
• MongoDB 6.0.0 through 6.0.27
• MongoDB 5.0.0 through 5.0.32

MITIGATIONS

We strongly suggest you upgrade immediately.

If you cannot upgrade immediately, please ensure you have defense in depth.

For example, if you are running a self-managed MongoDB deployment and cannot adopt a patch as recommended, take these specific steps:

• Confirm whether your deployment is reachable from untrusted networks and restrict access to trusted application paths, bastion hosts, or approved administrative sources only.
• Review operational and application accounts for unnecessary privileges, shared credentials, or passwords that may need to be changed before patching is completed.
• Confirm that authentication credentials/secrets (e.g., passwords) are unique to each account or environment, and rotated within the last 90 days. Passwords or passphrases should be at least 15 characters.
• As best practice, you should prioritize unique passphrases, password manager use, and immediate rotation of any database user whose password is not secret, reused, or shared.

REMEDIATION

Upgrade to MongoDB 8.3.2, 8.2.9, 8.0.23, 7.0.34, 6.0.28, 5.0.33.