CVE-2026-6811 PUBLISHED

PHP Stack Exhaustion

Assigner: mongodb
Reserved: 21.04.2026 Published: 14.05.2026 Updated: 14.05.2026

Stack exhaustion vulnerability in the MongoDB PHP driver can cause application crashes when processing deeply nested BSON documents in unusual circumstances when the source of these BSON documents is not MongoDB Server.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
CVSS Score: 6

Product Status

Vendor MongoDB Inc.
Product PHP Driver
Versions Default: unaffected
  • Version 1.21.5 is affected
  • Version 2.1.8 is affected

References

Problem Types

  • CWE-674 Uncontrolled Recursion CWE

Impacts

  • CAPEC-230 Serialized Data with Nested Payloads