MongoDB just shipped patches for 14 CVEs across three major version lines — if you're running 8.0.x before 8.0.24, you're sitting on at least one remote denial-of-service hole.
France's CERT-FR published advisory CERTFR-2026-AVI-0735 on June 11, 2026, citing 15 MongoDB security bulletins (SERVER-122207 through SERVER-126506). Fourteen unique CVEs are now public, ranging from CVE-2026-9735 to CVE-2026-9754. No exploit code is out yet, but the details are enough to start probing.
Three Major Version Lines Affected
Core Server 8.0.x needs updating to 8.0.24. 8.2.x must reach 8.2.10. The 8.3.x line requires 8.3.3. And if you're still on the 7.0 branch, you're stuck below 7.0.35 — time to move. Each of these version ranges carries at least one vulnerability that allows an attacker to trigger a remote denial of service or breach data confidentiality.
The Vulnerabilities: DoS and Data Leakage
The advisory doesn't break down each CVE's root cause, but the impact is clear: remote attackers can crash your database or read data they shouldn't. No authentication bypass is mentioned, so these likely require some level of access — but “some” often means network access to the MongoDB port. If your instance is exposed, you're in the blast radius.
What You Need to Do
Pull the patched versions from MongoDB's download center or your package manager. Check your deployment: db.version() in the mongo shell will tell you where you stand. If you're on 8.0.23 or lower, 8.2.9 or lower, 8.3.2 or lower, or 7.0.34 or lower, you're vulnerable. Apply the update, restart, and verify connectivity.
One more thing: review your network ACLs while you're at it. Patches only work if they reach the server — and if MongoDB is reachable from the internet, you have bigger problems than these 14 CVEs.
Source: Multiples vulnérabilités dans MongoDB (11 juin 2026)
Domain: cert.ssi.gouv.fr
Comments load interactively on the live page.