Disclosure up front: I work at Percona. Posting this because the framing in some of the chatter I'm seeing about CVE-2026-8053 is going to leave many teams exposed. The bug in one line: out-of-bounds memory write in MongoDB's time-series bucket catalog. An authenticated user with the readWrite role on any database can trigger it via a crafted sequence of operations against a time-series collection. CVSS v3.1 8.8, v4.0 8.7. Upstream tracking: SERVER-126021. Why is the prerequisite weaker than it looks? The advisory says the attacker needs database write privileges. That's accurate, but in practice, it means the built-in readWrite role, which is what most application accounts already hold. So an attacker who lifts an application credential — from a CI log, a .env file, a compromised pod, an ex-employee's laptop — does not need your deployment to already host a time-series collection. They can create one on the spot and reach the vulnerable code path.…