Login

u/NiceReflection454

▲ 9 r/mongodb

CVE-2026-8053 in MongoDB time-series — affects you even if your app doesn't use time-series collections

Disclosure up front: I work at Percona. Posting this because the framing in some of the chatter I'm seeing about CVE-2026-8053 is going to leave many teams exposed.

The bug in one line: out-of-bounds memory write in MongoDB's time-series bucket catalog. An authenticated user with the readWrite role on any database can trigger it via a crafted sequence of operations against a time-series collection. CVSS v3.1 8.8, v4.0 8.7. Upstream tracking: SERVER-126021.

Why is the prerequisite weaker than it looks?

The advisory says the attacker needs database write privileges. That's accurate, but in practice, it means the built-in readWrite role, which is what most application accounts already hold.

So an attacker who lifts an application credential — from a CI log, a .env file, a compromised pod, an ex-employee's laptop — does not need your deployment to already host a time-series collection. They can create one on the spot and reach the vulnerable code path.

If your team is currently in the "we don't use time-series, we're fine" conversation, that's not the mitigation it sounds like. The only meaningful options are patching or restricting readWrite role to your application accounts (which most apps will break if you do it at runtime).

Fixed versions

  • MongoDB Server (upstream): see SERVER-126021 for the fixed versions for each major release; fixes are available from 5.0 to 8.3.
  • Percona Server for MongoDB:
    • 7.0.34-19 — May 20, 2026
    • 8.0.23-10 — May 21, 2026
    • 6.0.x patch — targeted for May 25, 2026
  • 5.x: no binary packages, but the fix is on the public release branch release-5.0.33-26 if you need to build it.

If you're running PSMDB on Kubernetes via the Percona Operator, you don't need to wait for an operator release — trigger the upgrade in the nearest possible maintenance window.

What I'd actually do today

  1. Patch on whichever schedule matches your major version.
  2. Audit custom roles. Anything granting readWrite to application accounts is, until you patch, an RCE primitive in waiting. Decide whether those accounts really need to write at runtime or whether they can be scoped to a known set.
  3. If you haven't already, enable MongoDB auditing for createCollection events. Useful for spotting unexpected time-series collection creation in the window before everyone is patched.

I am happy to answer any questions in the thread.

If you want the longer write-up — including the operational case that "authenticated RCE" deserves more urgency than it usually gets — I wrote it up on the Percona blog: https://www.percona.com/blog/cve-2026-8053-we-dont-use-time-series-is-not-a-mitigation/

reddit.com
u/NiceReflection454 — 1 day ago
▲ 5 r/mongodb

Hi everyone,

The team at Percona just released PBM 2.14.0. This update includes significant performance improvements for Minio-compatible storage users, but, more importantly, introduces a breaking change for anyone using PBM in automated scripts.

⚠️ Breaking Change: Interactive Restore Confirmation

To prevent accidental data loss, the pbm restore command now includes an interactive confirmation prompt.

  • Manual Users: You will now be asked Are you sure? [y/N] before a restore begins.
  • Automation/Scripts: You must now include the -y or --yes flag in your scripts, or your automated restores will hang waiting for input.

Key Highlights in 2.14.0

  • Faster Remote Storage Uploads: We’ve enabled concurrent streaming via the MinIO SDK. Large file transfers to S3-compatible storage should now see significantly improved throughput and efficiency.
  • Encrypted Backup Support: PBM now automatically captures the master encryption key identifier (KMIP or Vault) in the metadata. This allows for seamless database restores with data-at-rest encryption without manual key tracking.
  • Improved PITR Consistency: For physical restores, PITR oplog entries are now applied to all nodes (not just the former Primary), ensuring identical data files across the whole replica set.
  • Balancer Handling: New configuration settings (backup.timeouts.balancerStop) allow you to control how long PBM waits for the MongoDB balancer to stop, preventing operations from hanging indefinitely during chunk migrations.

Notable Bug Fixes:

  • Fixed an issue where pbm-cli it would wait indefinitely if pbm-agent crashed during backup.
  • Resolved mongodb+srv URI parsing errors in the CLI.
  • Fixed a bug where pbm describe-backup reported inflated sizes for incremental backups.

Full Release Notes & Docs: https://docs.percona.com/percona-backup-mongodb/release-notes/2.14.0.html#percona-backup-for-mongodb-2140-2026-04-29

I'm happy to answer any questions about the new concurrent streaming or the safety changes!

u/NiceReflection454 — 18 days ago