MongoDB Ops Manager RCE via Webhook Template Injection (CVE-2026-8431)
The National Vulnerability Database has disclosed CVE-2026-8431, a high-severity vulnerability (CVSS 7.2) affecting MongoDB Ops Manager. This flaw allows an administrative user with webhook configuration access to achieve arbitrary command execution. The attack vector leverages specific FreeMarker template syntax within webhook configurations, which, when triggered, can lead to system compromise.
This is a critical administrative bypass. While it requires an already privileged user, the ability to escalate from webhook configuration to arbitrary command execution is a significant jump in impact. It means a compromised administrator account, even one with seemingly limited ‘webhook’ permissions, can quickly lead to a full system takeover. This is not just a misconfiguration; it’s a template injection vulnerability that weaponizes a legitimate feature.
The vulnerability impacts all MongoDB Ops Manager 7.0 versions and MongoDB Ops Manager versions 8.0.22 and prior. Defenders need to recognize that ‘administrative access’ is not a catch-all for acceptable risk when it enables this level of escalation. Assume compromise and patch immediately.
What This Means For You
- If your organization uses MongoDB Ops Manager, you need to identify all affected instances (versions 7.0 and 8.0.22 and prior) and prioritize patching immediately. Furthermore, audit your administrative user access controls for webhook configuration privileges. This is a clear path to RCE, even from an already privileged account, meaning a single compromised admin credential can lead to full infrastructure compromise.
Related ATT&CK Techniques
🛡️ Detection Rules
2 rules · 6 SIEM formats2 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2026-8431: MongoDB Ops Manager Webhook Template Injection RCE
title: CVE-2026-8431: MongoDB Ops Manager Webhook Template Injection RCE
id: scw-2026-05-12-ai-1
status: experimental
level: critical
description: |
Detects the exploitation of CVE-2026-8431 by identifying POST requests to the MongoDB Ops Manager webhook API endpoint that contain template injection syntax within the query parameters. This indicates an attempt to execute arbitrary commands via FreeMarker template injection.
author: SCW Feed Engine (AI-generated)
date: 2026-05-12
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-8431/
tags:
- attack.initial_access
- attack.t1190
logsource:
category: webserver
detection:
selection:
cs-uri|contains:
- '/api/public/v1.0/webhooks'
cs-method|exact:
- 'POST'
cs-uri-query|contains:
- 'template='
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-8431 | RCE | MongoDB Ops Manager 7.0 versions |
| CVE-2026-8431 | RCE | MongoDB Ops Manager 8.0.22 and prior |
| CVE-2026-8431 | RCE | Arbitrary command execution via FreeMarker template syntax in webhooks |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 12, 2026 at 22:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
HashiCorp Nomad Code Execution (CVE-2026-7474) via Path Traversal
CVE-2026-7474 — HashiCorp Nomad and Nomad Enterprise prior to 2.0.1 are vulnerable to code execution on the client host through a path traversal attack. This...
CVE-2026-44225: Pulpy Packager Allows Arbitrary File Access
CVE-2026-44225 — Pulpy is a lightweight, cross-platform desktop application packager for web apps. Prior to 0.1.1, Pulpy injects a pulpy.fs JavaScript API into every packaged...
ArcadeDB Critical Vulnerability Bypasses Authorization Across Databases
CVE-2026-44221 — ArcadeDB is a Multi-Model DBMS. Prior to 2.6.4, authenticated users and API tokens scoped to a specific database could read, write, and mutate...