Skip to content

Commit 5b0698a

Browse files
Merge pull request #1138 from percona/8.0.26-11
8.0.26-11_Release Notes
2 parents 4302631 + 8222f41 commit 5b0698a

5 files changed

Lines changed: 87 additions & 3 deletions

File tree

docs/_templates/pdf_cover_page.tpl

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -3,10 +3,10 @@
33
<p>
44
<img src="_images/Percona_Color_Dark.svg" alt="Percona logo" />
55
</p>
6-
<h1>Server for MongoDB 8.0.23-10</h1>
6+
<h1>Server for MongoDB 8.0.26-11</h1>
77
{% if config.site_description %}
88
<h1>{{ config.site_description }}</h1>
99
{% endif %}
10-
<h2>8.0.23-10 (May 21, 2026)</h2>
10+
<h2>8.0.26-11 (June 25, 2026)</h2>
1111
<br>
1212
<br>

docs/release_notes/8.0.26-11.md

Lines changed: 80 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,80 @@
1+
---
2+
version: 8.0.26-11
3+
---
4+
5+
# Percona Server for MongoDB {{ page.meta.version }} ({{date.8_0_26}})
6+
7+
[Installation](../install/index.md){.md-button}
8+
[Upgrade from MongoDB Community](../install/upgrade-from-mongodb.md){.md-button}
9+
10+
Percona Server for MongoDB {{ page.meta.version }} is an enhanced, source-available, and highly-scalable database that is a fully-compatible, drop-in replacement for MongoDB Community Edition.
11+
12+
Percona Server for MongoDB **{{ page.meta.version }}** includes the improvements and bug fixes of:
13+
14+
- [MongoDB 8.0.26 Community Edition :octicons-link-external-16:](https://www.mongodb.com/docs/manual/release-notes/8.0/#8.0.26---june-11--2026){:target="_blank"}, [MongoDB 8.0.25 Community Edition :octicons-link-external-16:](https://www.mongodb.com/docs/manual/release-notes/8.0/#8.0.25---june-10--2026){:target="_blank"}, and [MongoDB 8.0.24 Community Edition :octicons-link-external-16:](https://www.mongodb.com/docs/manual/release-notes/8.0/#8.0.24---june-9--2026){:target="_blank"}.
15+
16+
- Supports protocols and drivers of MongoDB Community **8.0.26**.
17+
18+
## Upgrade recommendation
19+
20+
This release contains multiple high-severity security fixes affecting all Percona Server for MongoDB 8.0.x versions. We strongly recommend **upgrading to version {{ page.meta.version }}** as soon as possible.
21+
22+
## Improvements
23+
24+
- [PSMDB-2038](https://perconadev.atlassian.net/browse/PSMDB-2038): Percona Server for MongoDB now exposes LDAP `userToDN` cache statistics through the `serverStatus` command. These metrics provide visibility into cache utilization and effectiveness, helping administrators troubleshoot LDAP authentication latency, validate cache behavior after configuration changes, and optimize cache sizing for their workloads. The new `ldap.userToDNCache` section reports runtime information such as cache usage, hits, misses, and invalidations, making LDAP authentication performance easier to monitor and tune.
25+
26+
- [PSMDB-2071](https://perconadev.atlassian.net/browse/PSMDB-2071): Enhanced oplog record parsing to better handle legacy oplog entries that may be present after upgrades from older major versions. This improvement increases compatibility with upgraded deployments by correctly processing oplog records that contain fields no longer used in current releases.
27+
28+
## Bugs fixed
29+
30+
- [PSMDB-1977](https://perconadev.atlassian.net/browse/PSMDB-1977): Resolved an issue where Docker-based MongoDB instances could fail to start when replication settings were defined in `mongod.conf`.
31+
32+
## Security updates
33+
34+
### Affected versions
35+
36+
These vulnerabilities affect the following versions:
37+
38+
- All Percona Server for MongoDB 8.0.x versions
39+
40+
### High severity
41+
42+
- [SERVER-128125 :octicons-link-external-16:](https://jira.mongodb.org/browse/SERVER-128125){:target="_blank"} **(CVE-2026-11933):** A **use-after-free** vulnerability was identified in MongoDB Server’s server-side JavaScript engine when converting `BSON` documents to JavaScript arrays. An authenticated user with read privileges who can execute server-side JavaScript (e.g., via `$where` or `$function`) may trigger access to freed memory, which could result in information disclosure from the `mongod` process memory or a denial of service through a server crash.
43+
44+
- [SERVER-125063 :octicons-link-external-16:](https://jira.mongodb.org/browse/SERVER-125063){:target="_blank"} **(CVE-2026-9740):** A vulnerability in the `BSON` validator allows an unauthenticated user to supply specially crafted input that could cause the `mongod` process to terminate unexpectedly, resulting in a denial-of-service condition.
45+
46+
- [SERVER-123688 :octicons-link-external-16:](https://jira.mongodb.org/browse/SERVER-123688){:target="_blank"} **(CVE-2026-9743):** A vulnerability in the aggregation framework could allow an authenticated user with permission to run aggregation pipelines to cause a denial of service. By submitting a specially crafted aggregation query followed by additional requests on the same cursor, an attacker could cause the server process to terminate unexpectedly.
47+
48+
- [SERVER-124959 :octicons-link-external-16:](https://jira.mongodb.org/browse/SERVER-124959){:target="_blank"} **(CVE-2026-9753):** A vulnerability in the `$_internalApplyOplogUpdate` aggregation stage allows an authenticated user to supply specially crafted input that could cause the server process to terminate unexpectedly.
49+
50+
- [SERVER-123440 :octicons-link-external-16:](https://jira.mongodb.org/browse/SERVER-123440){:target="_blank"} **(CVE-2026-9752):** Inserting specially crafted documents into a collection with a `2dsphere` index could cause the `mongod` process to terminate unexpectedly, leading to a server crash.
51+
52+
- [SERVER-123633 :octicons-link-external-16:](https://jira.mongodb.org/browse/SERVER-123633){:target="_blank"} **(CVE-2026-9750):** A vulnerability in query execution allows an authenticated user to create specially crafted documents that interfere with internal metadata processing. This can cause the server process to terminate unexpectedly and may result in incorrect query results.
53+
54+
- [SERVER-124031 :octicons-link-external-16:](https://jira.mongodb.org/browse/SERVER-124031){:target="_blank"} **(CVE-2026-9749):** Aggregation pipelines that use the internal `$exchange` stage with key-range partitioning can trigger an unexpected condition when processing large numbers of documents for a single key range. This can cause the server process to terminate unexpectedly.
55+
56+
- [SERVER-123951 :octicons-link-external-16:](https://jira.mongodb.org/browse/SERVER-123951){:target="_blank"} **(CVE-2026-9748):** Under specific conditions, using the internal `$_internalConvertBucketIndexStats` stage together with `$facet` can cause the `mongod` process to terminate unexpectedly.
57+
58+
- [SERVER-123918 :octicons-link-external-16:](https://jira.mongodb.org/browse/SERVER-123918){:target="_blank"} **(CVE-2026-9747):** A vulnerability triggered by using `fromRouter: true` together with `runtimeConstants.userRoles` can cause the `mongod` process to terminate unexpectedly.
59+
60+
- [SERVER-124190 :octicons-link-external-16:](https://jira.mongodb.org/browse/SERVER-124190){:target="_blank"} **(CVE-2026-9746):** A vulnerability in the use of `$changeStream`, `$_requestReshardingResumeToken`, and the exchange option can cause the `mongod` process to terminate unexpectedly. An authenticated user can trigger this behavior without requiring any special privileges.
61+
62+
### Medium severity
63+
64+
- [SERVER-123370 :octicons-link-external-16:](https://jira.mongodb.org/browse/SERVER-123370){:target="_blank"} **(CVE-2026-9751):** Percona Server for MongoDB no longer logs sensitive parameter values when they are modified using the runtime `setParameter` command. Previously, parameters such as `ldapQueryPassword` could be written to `mongod.log` in plain text, potentially exposing credentials.
65+
66+
This applies to all `setParameter` operations. Parameters marked as sensitive are automatically redacted from log output, and values associated with unrecognized parameter names are also redacted to prevent accidental exposure caused by typographical errors.
67+
68+
## Tools packaged with this release
69+
70+
Percona repackages the upstream MongoDB Shell (`mongosh`) as `percona-mongodb-mongosh`, updating all copyright, authorship, and branding under the full product name "Percona MongoDB Shell."
71+
72+
Percona also repackages and patches Mongo Tools. In this release, we've updated embedded Go libraries in the `mongodump` binary to address 15 security (severity from medium to critical) vulnerabilities:
73+
74+
- `golang.org/x/crypto` updated from **v0.45.0** to **v0.52.0** — fixes [CVE-2026-39827 :octicons-link-external-16:](https://nvd.nist.gov/vuln/detail/CVE-2026-39827){:target="_blank"}, [CVE-2026-39828 :octicons-link-external-16:](https://nvd.nist.gov/vuln/detail/CVE-2026-39828){:target="_blank"}, [CVE-2026-39829 :octicons-link-external-16:](https://nvd.nist.gov/vuln/detail/CVE-2026-39829){:target="_blank"}, [CVE-2026-39830 :octicons-link-external-16:](https://nvd.nist.gov/vuln/detail/CVE-2026-39830){:target="_blank"}, [CVE-2026-39835 :octicons-link-external-16:](https://nvd.nist.gov/vuln/detail/CVE-2026-39835){:target="_blank"}, [CVE-2026-42508 :octicons-link-external-16:](https://nvd.nist.gov/vuln/detail/CVE-2026-42508){:target="_blank"}, [CVE-2026-46595 :octicons-link-external-16:](https://nvd.nist.gov/vuln/detail/CVE-2026-46595){:target="_blank"}, [CVE-2026-46597 :octicons-link-external-16:](https://nvd.nist.gov/vuln/detail/CVE-2026-46597){:target="_blank"}
75+
- `golang.org/x/net` updated from **v0.47.0** to **v0.55.0** — fixes [CVE-2026-25680 :octicons-link-external-16:](https://nvd.nist.gov/vuln/detail/CVE-2026-25680){:target="_blank"}, [CVE-2026-25681 :octicons-link-external-16:](https://nvd.nist.gov/vuln/detail/CVE-2026-25681){:target="_blank"}, [CVE-2026-27136 :octicons-link-external-16:](https://nvd.nist.gov/vuln/detail/CVE-2026-27136){:target="_blank"}, [CVE-2026-33814 :octicons-link-external-16:](https://nvd.nist.gov/vuln/detail/CVE-2026-33814){:target="_blank"}, [CVE-2026-39821 :octicons-link-external-16:](https://nvd.nist.gov/vuln/detail/CVE-2026-39821){:target="_blank"}, [CVE-2026-42502 :octicons-link-external-16:](https://nvd.nist.gov/vuln/detail/CVE-2026-42502){:target="_blank"}, [CVE-2026-42506 :octicons-link-external-16:](https://nvd.nist.gov/vuln/detail/CVE-2026-42506){:target="_blank"}
76+
77+
| **Tool** | **Base version** | **Release notes** |
78+
|---|---|---|
79+
| MongoDB Shell (`mongosh`) | 2.8.3 | [upstream release notes :octicons-link-external-16:](https://www.mongodb.com/docs/mongodb-shell/changelog/#v2.8.3){:target="_blank"} |
80+
| Mongo Tools | 100.17.0 | [upstream release notes :octicons-link-external-16:](https://www.mongodb.com/docs/database-tools/release-notes/dbtools-100.17.0-changelog/){:target="_blank"} |

docs/release_notes/index.md

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,8 @@
11

22
# Percona Server for MongoDB 8.0 release notes
33

4+
* [Percona Server for MongoDB 8.0.26-11 ({{date.8_0_26}})](8.0.26-11.md)
5+
46
* [Percona Server for MongoDB 8.0.23-10 ({{date.8_0_23}})](8.0.23-10.md)
57

68
* [Percona Server for MongoDB 8.0.21-9 ({{date.8_0_21}})](8.0.21-9.md)

mkdocs-base.yml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -251,6 +251,7 @@ nav:
251251
- install/uninstall.md
252252
- Release notes:
253253
- "Release notes index": "release_notes/index.md"
254+
- release_notes/8.0.26-11.md
254255
- release_notes/8.0.23-10.md
255256
- release_notes/8.0.21-9.md
256257
- release_notes/8.0.20-8.md

variables.yml

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
# PBM Variables set for HTML output
22
# See also mkdocs.yml plugins.with-pdf.cover_subtitle and output_path
33

4-
release: '8.0.23-10'
4+
release: '8.0.26-11'
55
version: '8.0'
66
mongosh: '2.8.3'
77
year: "2026"
@@ -10,6 +10,7 @@ product:
1010
psmdb_full_name: "Percona Server for MongoDB"
1111

1212
date:
13+
8_0_26: "2026-06-25"
1314
8_0_23: "2026-05-21"
1415
8_0_21: "2026-05-06"
1516
8_0_20: "2026-04-01"

0 commit comments

Comments
 (0)