Vulnerability Details CVE-2026-8063
An authenticated user can crash mongod when running $rankFusion or $scoreFusion with an empty pipeline on a view.
When resolving a view, the server inspects the aggregation pipeline to determine whether it begins with an Atlas Search stage. For $rankFusion and $scoreFusion, this inspection reads the first element on each stage’s input pipeline array without first verifying that the array is non-empty. Supplying an empty pipeline causes a null pointer dereference and crashes the server.
This issue affects MongoDB Server 8.2 versions prior to 8.2.7.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.001
EPSS Ranking 17.1%
CVSS Severity
CVSS v3 Score 6.5
Products affected by CVE-2026-8063
-
cpe:2.3:a:mongodb:mongodb:8.2.0
-
cpe:2.3:a:mongodb:mongodb:8.2.1
-
cpe:2.3:a:mongodb:mongodb:8.2.2
-
cpe:2.3:a:mongodb:mongodb:8.2.3
-
cpe:2.3:a:mongodb:mongodb:8.2.4
-
cpe:2.3:a:mongodb:mongodb:8.2.5
-
cpe:2.3:a:mongodb:mongodb:8.2.6