Skip to main content

C Driver CVE-2026-6231

| EUVDEUVD-2026-22023 MEDIUM
Improper Input Validation (CWE-20)
2026-04-13 mongodb GHSA-q869-m422-4qcv
5.3
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

7
Patch released
Apr 17, 2026 - 15:18 nvd
Patch available
Patch available
Apr 16, 2026 - 05:29 EUVD
2.0.2,1.30.5
Analysis Generated
Apr 13, 2026 - 16:43 vuln.today
CVSS changed
Apr 13, 2026 - 16:22 NVD
4.3 (MEDIUM) 5.3 (MEDIUM)
EUVD ID Assigned
Apr 13, 2026 - 16:15 euvd
EUVD-2026-22023
Analysis Generated
Apr 13, 2026 - 16:15 vuln.today
CVE Published
Apr 13, 2026 - 15:31 nvd
MEDIUM 5.3

DescriptionCVE.org

The bson_validate function may return early on specific inputs and incorrectly report success. This behavior could result in skipping validation for BSON data, allowing malformed or invalid UTF-8 sequences to bypass validation and be processed incorrectly. The issue may affect applications that rely on these functions to validate untrusted BSON data before further processing. This issue affects MongoDB C Driver versions prior to 1.30.5, MongoDB C Driver version 2.0.0 and MongoDB C Driver version 2.0.1

AnalysisAI

MongoDB C Driver bson_validate function returns early on specific inputs and incorrectly reports successful validation, allowing malformed or invalid UTF-8 sequences in BSON data to bypass validation checks. This affects MongoDB C Driver versions prior to 1.30.5, 2.0.0, and 2.0.1, and impacts applications that depend on this validation function to process untrusted BSON data. Authenticated remote attackers can exploit this to inject invalid BSON data, potentially causing integrity issues in downstream processing; EPSS 0.48 indicates this is a moderate-priority issue that warrants patching but is not among the highest-risk vulnerabilities.

Technical ContextAI

BSON (Binary JSON) is MongoDB's internal binary serialization format used for data storage and transmission. The bson_validate function is a critical security boundary in the MongoDB C Driver (CPE: cpe:2.3:a:mongodb_inc.:c_driver) that validates BSON document structure and encoding, including UTF-8 character sequence correctness. The vulnerability is classified as CWE-20 (Improper Input Validation), a root-cause weakness indicating the validation logic contains a flaw that causes it to exit early under specific input patterns without fully checking all constraints. When the function incorrectly reports success despite incomplete validation, subsequent application code that trusts this result may process malformed BSON as valid, potentially triggering unexpected behavior in database operations or data transformations that depend on well-formed input.

RemediationAI

Upgrade MongoDB C Driver to version 1.30.5 or later for the 1.x branch, or to version 2.0.2 or later for the 2.x branch. Consult the MongoDB JIRA ticket at https://jira.mongodb.org/browse/CDRIVER-6017 for detailed release notes and validation of the fix. If immediate upgrade is not possible, implement secondary BSON validation at the application layer, such as schema validation via MongoDB server-side rules or application-level deserialization checks, to ensure malformed data does not propagate downstream. Test the patched driver thoroughly with existing BSON inputs to confirm compatibility before rolling out to production.

Share

CVE-2026-6231 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy