CVE-2026-8431 | THREATINT

Description

An administrative user with access to configure webhooks can execute arbitrary commands by configuring and then triggering webhooks containing specific FreeMarker template syntax. This issue affects all MongoDB Ops Manager 7.0 versions and MongoDB Ops Manager versions 8.0.22 and prior.

PUBLISHED Reserved 2026-05-12 | Published 2026-05-12 | Updated 2026-05-12 | Assigner mongodb

CRITICAL: 9.4CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

HIGH: 7.2CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Problem types

CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')

Product status

Default status

unaffected

7.0 (custom) before 8.0.23

affected

References

www.mongodb.com/...anager/current/release-notes/application/ release-notes

cve.org (CVE-2026-8431)

nvd.nist.gov (CVE-2026-8431)

Download JSON