CVE Catalog

CVE-2026-9741

MediumCVSS 6.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.10%

1th percentile - higher than 1% of all known CVEs

Summary

A bug in query analysis processing of the $vectorSearch aggregation stage for Queryable Encryption (QE) or Client-Side Field Level Encryption (CSFLE) results in literal values for encrypted fields within the $vectorSearch stage filter expressions being sent to the server as plaintext instead of ciphertext.

Risk Assessment

The organization may be exposed to the disclosure of sensitive data as encrypted fields are transmitted in plaintext. This could lead to privacy breaches and data security issues.

Recommendation

It is recommended to update the system to the latest version to fix this bug and to test the application to ensure that sensitive data is properly encrypted before being sent to the server.

Original NVD description (English source)

A bug in query analysis processing of the $vectorSearch aggregation stage for Queryable Encryption (QE) or Client-Side Field Level Encryption (CSFLE) results in literal values for encrypted fields within the $vectorSearch stage filter expressions to be sent to the server as plaintext instead of ciphertext.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS