CVE Catalog

CVE-2026-9746

MediumCVSS 6.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.24%

14th percentile - higher than 14% of all known CVEs

Summary

Using $changestreams and $_requestReshardingResumeToken with the exchange option causes the server to crash due to hitting an invariant. The user must be logged in to issue the statement.

Risk Assessment

Server crashes can lead to application downtime and loss of service availability. Any logged-in user can trigger this issue, increasing the risk.

Recommendation

It is recommended to monitor the use of $changestreams and $_requestReshardingResumeToken and implement access restrictions to these features to minimize the risk of crashes.

Original NVD description (English source)

When using $changestreams and $_requestReshardingResumeToken with the exchange option the server hits an invariant which causes the server to crash. There are no special privileges needed. The user must be logged in to issue the statement.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS