Skip to main content

MongoDB C Driver CVE-2026-6691

| EUVDEUVD-2026-27838 HIGH
Classic Buffer Overflow (CWE-120)
2026-05-06 mongodb GHSA-587q-94wg-2pfp
8.6
CVSS 4.0 · Vendor: mongodb
Share

Severity by source

Vendor (mongodb) PRIMARY
8.6 HIGH
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from Vendor (mongodb) · only source for this CVE.

CVSS VectorVendor: mongodb

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

4
Analysis Updated
May 06, 2026 - 16:28 vuln.today
v2 (cvss_changed)
Re-analysis Queued
May 06, 2026 - 16:22 vuln.today
cvss_changed
CVSS changed
May 06, 2026 - 16:22 NVD
7.8 (HIGH) 8.6 (HIGH)
Analysis Generated
May 06, 2026 - 16:00 vuln.today

DescriptionCVE.org

The MongoDB C Driver's Cyrus SASL integration performs unsafe string copying during username canonicalization, enabling a heap buffer overflow before any authentication or network traffic. This may be triggered by passing untrusted input in the username of a MongoDB URI with authMechanism=GSSAPI.

AnalysisAI

Heap buffer overflow in MongoDB C Driver's Cyrus SASL integration allows local attackers to achieve code execution before authentication by providing a maliciously crafted username in a MongoDB URI with GSSAPI authentication. The vulnerability triggers during username canonicalization via unsafe string copying, requiring no privileges or user interaction. Exploitable against any application using the affected driver that processes untrusted MongoDB connection strings. No active exploitation confirmed (not in CISA KEV). EPSS data not provided. Vendor has acknowledged the issue via JIRA tracking (CDRIVER-6134).

Technical ContextAI

The MongoDB C Driver (libmongoc) implements SASL authentication mechanisms including GSSAPI (Kerberos) through integration with the Cyrus SASL library. During the username canonicalization phase-which occurs before network traffic or credential validation-the driver performs string operations to normalize the username extracted from the MongoDB URI. The vulnerability stems from CWE-120 (Buffer Copy without Checking Size of Input), where unbounded string copying to a heap-allocated buffer enables overflow when processing excessively long or specially-crafted usernames. The CVSS 4.0 vector indicates Local attack vector (AV:L), meaning the attacker must have the ability to influence the connection string passed to applications using the driver-typically through configuration files, environment variables, or application input fields that construct MongoDB URIs. The pre-authentication nature makes this particularly severe as it bypasses all authentication controls.

RemediationAI

Consult MongoDB JIRA issue CDRIVER-6134 (https://jira.mongodb.org/browse/CDRIVER-6134) for vendor-confirmed fix version and apply the patched MongoDB C Driver release immediately. Until patching is complete, implement these compensating controls with noted trade-offs: (1) Disable GSSAPI authentication mechanism if not operationally required-removes attack surface but eliminates Kerberos SSO capability; validate that authMechanism=GSSAPI is not present in any MongoDB URIs. (2) Implement strict input validation on all sources that construct MongoDB connection strings-sanitize usernames to alphanumeric characters with maximum length of 64 bytes before URI construction; this may break legitimate Kerberos principal names containing special characters. (3) Run applications using the driver with minimized filesystem and memory permissions through containers or sandboxing-reduces post-exploitation impact but adds operational complexity and may affect performance. (4) Use read-only configuration sources for MongoDB URIs that are not modifiable by untrusted users-limits local attack vector but requires infrastructure changes. Monitor vendor security advisories at https://www.mongodb.com/alerts for official patching guidance and regression testing recommendations.

Share

CVE-2026-6691 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy