CVE-2026-9741
MediumCVSS 6.5Exploitation Probability (EPSS)
Low risk1th percentile - higher than 1% of all known CVEs
Summary
A bug in query analysis processing of the $vectorSearch aggregation stage for Queryable Encryption (QE) or Client-Side Field Level Encryption (CSFLE) results in literal values for encrypted fields within the $vectorSearch stage filter expressions being sent to the server as plaintext instead of ciphertext.
Risk Assessment
The organization may be exposed to the disclosure of sensitive data as encrypted fields are transmitted in plaintext. This could lead to privacy breaches and data security issues.
Recommendation
It is recommended to update the system to the latest version to fix this bug and to test the application to ensure that sensitive data is properly encrypted before being sent to the server.
Original NVD description (English source)
A bug in query analysis processing of the $vectorSearch aggregation stage for Queryable Encryption (QE) or Client-Side Field Level Encryption (CSFLE) results in literal values for encrypted fields within the $vectorSearch stage filter expressions to be sent to the server as plaintext instead of ciphertext.

