Severity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from Vendor (mongodb) · only source for this CVE.
CVSS VectorVendor: mongodb
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
The MongoDB C Driver's Cyrus SASL integration performs unsafe string copying during username canonicalization, enabling a heap buffer overflow before any authentication or network traffic. This may be triggered by passing untrusted input in the username of a MongoDB URI with authMechanism=GSSAPI.
AnalysisAI
Heap buffer overflow in MongoDB C Driver's Cyrus SASL integration allows local attackers to achieve code execution before authentication by providing a maliciously crafted username in a MongoDB URI with GSSAPI authentication. The vulnerability triggers during username canonicalization via unsafe string copying, requiring no privileges or user interaction. Exploitable against any application using the affected driver that processes untrusted MongoDB connection strings. No active exploitation confirmed (not in CISA KEV). EPSS data not provided. Vendor has acknowledged the issue via JIRA tracking (CDRIVER-6134).
Technical ContextAI
The MongoDB C Driver (libmongoc) implements SASL authentication mechanisms including GSSAPI (Kerberos) through integration with the Cyrus SASL library. During the username canonicalization phase-which occurs before network traffic or credential validation-the driver performs string operations to normalize the username extracted from the MongoDB URI. The vulnerability stems from CWE-120 (Buffer Copy without Checking Size of Input), where unbounded string copying to a heap-allocated buffer enables overflow when processing excessively long or specially-crafted usernames. The CVSS 4.0 vector indicates Local attack vector (AV:L), meaning the attacker must have the ability to influence the connection string passed to applications using the driver-typically through configuration files, environment variables, or application input fields that construct MongoDB URIs. The pre-authentication nature makes this particularly severe as it bypasses all authentication controls.
RemediationAI
Consult MongoDB JIRA issue CDRIVER-6134 (https://jira.mongodb.org/browse/CDRIVER-6134) for vendor-confirmed fix version and apply the patched MongoDB C Driver release immediately. Until patching is complete, implement these compensating controls with noted trade-offs: (1) Disable GSSAPI authentication mechanism if not operationally required-removes attack surface but eliminates Kerberos SSO capability; validate that authMechanism=GSSAPI is not present in any MongoDB URIs. (2) Implement strict input validation on all sources that construct MongoDB connection strings-sanitize usernames to alphanumeric characters with maximum length of 64 bytes before URI construction; this may break legitimate Kerberos principal names containing special characters. (3) Run applications using the driver with minimized filesystem and memory permissions through containers or sandboxing-reduces post-exploitation impact but adds operational complexity and may affect performance. (4) Use read-only configuration sources for MongoDB URIs that are not modifiable by untrusted users-limits local attack vector but requires infrastructure changes. Monitor vendor security advisories at https://www.mongodb.com/alerts for official patching guidance and regression testing recommendations.
More in Mongodb C Driver
View allSame weakness CWE-120 – Classic Buffer Overflow
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-27838
GHSA-587q-94wg-2pfp