CVE-2026-1849
Mongod can run out of stack memory when expressions create deeply nested documents
EPSS 0.08%
Description
MongoDB Server may experience an out-of-memory failure while evaluating expressions that produce deeply nested documents. The issue arises in recursive functions because the server does not periodically check the depth of the expression.
How to fix CVE-2026-1849
To remediate CVE-2026-1849, upgrade the affected package to a fixed version below.
- Bitnami/mongodb—upgrade to 7.0.29 or later
Is CVE-2026-1849 being exploited?
Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- >= 7.0.0, < 7.0.29, >= 8.0.0, < 8.0.18, >= 8.2.0, < 8.2.2
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |