CVE-2026-9746
MediumCVSS 6.5Exploitation Probability (EPSS)
Low risk14th percentile - higher than 14% of all known CVEs
Summary
Using $changestreams and $_requestReshardingResumeToken with the exchange option causes the server to crash due to hitting an invariant. The user must be logged in to issue the statement.
Risk Assessment
Server crashes can lead to application downtime and loss of service availability. Any logged-in user can trigger this issue, increasing the risk.
Recommendation
It is recommended to monitor the use of $changestreams and $_requestReshardingResumeToken and implement access restrictions to these features to minimize the risk of crashes.
Original NVD description (English source)
When using $changestreams and $_requestReshardingResumeToken with the exchange option the server hits an invariant which causes the server to crash. There are no special privileges needed. The user must be logged in to issue the statement.

