CVE-2026-1849 is a vulnerability identified in MongoDB Server versions 7.0, 8.0, and 8.2, categorized under CWE-674 (Uncontrolled Recursion). The issue stems from the server's recursive functions used to evaluate expressions that produce deeply nested documents. Specifically, the server fails to periodically check or limit the recursion depth during expression evaluation, which can cause the server to consume excessive memory resources. This uncontrolled recursion can lead to out-of-memory (OOM) failures, effectively causing a denial of service (DoS) condition by crashing or severely degrading the database server's availability. The vulnerability does not require user interaction and can be triggered remotely over the network by an attacker with at least low privileges (PR:L) on the database server, as indicated by the CVSS vector. The CVSS v4.0 base score is 7.1, reflecting a high severity due to the impact on availability and the ease of exploitation without authentication barriers. No patches or exploit code are currently publicly available, and no known exploits in the wild have been reported. However, the vulnerability poses a significant risk to MongoDB deployments, especially those processing complex queries or untrusted input that could be crafted to induce deep recursion. The lack of recursion depth checks is a design oversight that could be exploited to disrupt service continuity. Organizations using affected MongoDB versions should be aware of this risk and prepare to apply vendor patches once released.

The primary impact of CVE-2026-1849 is on the availability of MongoDB Server instances. An attacker can craft queries or expressions that cause the server to enter uncontrolled recursion, leading to excessive memory consumption and out-of-memory failures. This results in denial of service, potentially crashing the database or severely degrading its performance. For European organizations, especially those relying on MongoDB for critical applications such as financial services, healthcare, government databases, and e-commerce platforms, this vulnerability could disrupt business operations, cause data unavailability, and impact service-level agreements. Additionally, if exploited in multi-tenant environments or cloud-hosted MongoDB instances, the impact could extend to multiple customers. The vulnerability does not directly compromise confidentiality or integrity but can indirectly affect these by causing system instability. The ease of exploitation without user interaction and the lack of authentication requirements increase the risk of automated or targeted attacks. Organizations with high MongoDB usage and complex query workloads are particularly vulnerable to service disruption.

1. Monitor MongoDB query logs for unusually deep or complex nested document expressions that could indicate attempts to exploit uncontrolled recursion. 2. Implement strict access controls and least privilege principles to limit which users can execute complex queries or expressions. 3. Use MongoDB's built-in resource limits and query execution timeouts to prevent runaway queries from consuming excessive memory. 4. Deploy application-level input validation to prevent untrusted or malformed input from triggering deep recursion in database queries. 5. Stay informed about MongoDB vendor advisories and apply security patches promptly once they become available for affected versions 7.0, 8.0, and 8.2. 6. Consider upgrading to newer MongoDB versions if they include fixes or improved recursion depth checks. 7. In cloud or managed environments, coordinate with service providers to ensure they have mitigations in place. 8. Conduct regular stress and fuzz testing of database queries to identify potential recursion-related issues proactively. 9. Isolate critical MongoDB instances and implement redundancy and failover mechanisms to minimize downtime in case of exploitation.