Post-auth null pointer dereference when aggregating against a view with empty search pipeline
Details
CVSS v3
6.5
CVSS v4
7.1
NVD published
2026-05-07 06:16:05
EPSS
<0.1% probability · 12.0th percentile — 2026-05-11
Affected versions
cpe:2.3:a:mongodb:mongodb:*:*:*:*:-:*:*:*
Summary
An authenticated user can crash mongod when running $rankFusion or $scoreFusion with an empty pipeline on a view.
When resolving a view, the server inspects the aggregation pipeline to determine whether it begins with an Atlas Search stage. For $rankFusion and $scoreFusion, this inspection reads the first element on each stage’s input pipeline array without first verifying that the array is non-empty. Supplying an empty pipeline causes a null pointer dereference and crashes the server.
This issue affects MongoDB Server 8.2 versions prior to 8.2.7.
TopVuln sends digest emails with high-risk CVE picks across multiple authoritative sources—curated with EPSS and AI. Choose daily per-stream emails and optional weekly or monthly roundups.