CVE-2026-1849 in Server
Summary
by MITRE • 02/10/2026
MongoDB Server may experience an out-of-memory failure while evaluating expressions that produce deeply nested documents. The issue arises in recursive functions because the server does not periodically check the depth of the expression.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 02/26/2026
MongoDB Server vulnerability CVE-2026-1849 represents a critical memory exhaustion flaw that manifests during expression evaluation involving deeply nested document structures. This vulnerability stems from insufficient depth monitoring within recursive expression processing functions, creating a condition where the server continuously allocates memory without proper boundary checks. The flaw specifically impacts MongoDB's expression evaluation engine which handles complex document operations including aggregation pipelines and query processing that may involve nested data structures.
The technical implementation of this vulnerability resides in the server's recursive evaluation algorithms that traverse document hierarchies without maintaining depth counters or stack overflow protections. When processing expressions containing deeply nested documents, the MongoDB server continues to allocate memory for each recursive call without periodic depth validation, leading to uncontrolled memory consumption. This behavior aligns with CWE-770, which describes allocation of resources without limits or with inadequate limits, and represents a classic example of memory exhaustion through recursive processing without proper termination conditions.
From an operational impact perspective, this vulnerability can lead to complete service disruption through out-of-memory failures that cause MongoDB processes to terminate unexpectedly. Attackers could exploit this by crafting malicious queries or aggregation operations that create deeply nested document structures, triggering memory exhaustion on targeted MongoDB instances. The vulnerability affects all MongoDB versions that implement recursive expression evaluation, potentially impacting database availability and data integrity across enterprise environments where complex document processing is common. Systems running with limited memory resources face heightened risk as the memory consumption grows exponentially with nesting depth.
Security implications extend beyond simple service disruption to include potential denial of service across multiple database operations. The vulnerability enables attackers to consume system resources systematically, potentially affecting other applications sharing the same infrastructure through resource contention. This aligns with ATT&CK technique T1499.004 for resource exhaustion attacks, where adversaries consume system resources to prevent legitimate use of services. Organizations should implement immediate mitigations including query timeout configurations, memory limit enforcement, and monitoring for unusual memory consumption patterns in database processes. Additionally, regular updates to MongoDB versions containing fixes for recursive depth checking mechanisms should be prioritized to prevent exploitation of this vulnerability.