Vulnerability Details CVE-2026-9741
A bug in query analysis processing of the $vectorSearch aggregation stage for Queryable Encryption (QE) or Client-Side Field Level Encryption (CSFLE) results in literal values for encrypted fields within the $vectorSearch stage filter expressions to be sent to the server as plaintext instead of ciphertext.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.001
EPSS Ranking 0.9%
CVSS Severity
CVSS v3 Score 6.5