Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
5DescriptionCVE.org
When schema validation is enabled on a collection and an update or insert would violate the collection's schema, the local server log message generated may not have all user data redacted.
This issue impacts MongoDB Server v7.0 versions prior to 7.0.34, v8.0 versions prior to 8.0.23, v8.2 versions prior to 8.2.9 and v8.3 versions prior to 8.3.2.
AnalysisAI
MongoDB Server fails to fully redact user data in local server log messages when schema validation is enabled and an update or insert operation violates the collection schema, allowing authenticated administrators to access sensitive information through log inspection. This information disclosure affects MongoDB Server 7.0 prior to 7.0.34, 8.0 prior to 8.0.23, 8.2 prior to 8.2.9, and 8.3 prior to 8.3.2. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the following specific conditions: (1) Schema validation must be explicitly enabled on at least one collection in the MongoDB instance (this is not the default state), (2) the attacker must possess MongoDB administrative credentials (PR:H in CVSS vector) to execute write operations and access logs, (3) an insert or update operation must be executed that violates the defined schema constraints to trigger the logging path, and (4) the attacker must have filesystem or application-level access to read MongoDB server log files. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | This vulnerability presents minimal real-world risk despite confirmed patch availability. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An authenticated MongoDB administrator with high-privilege credentials intentionally inserts or updates a document that violates an enabled collection schema constraint, causing MongoDB to log the validation error. The administrator then inspects the local MongoDB server logs and discovers that user data (such as field values, schema definitions, or error context) was not fully redacted in the error message, revealing sensitive information that should have been masked. … |
| Remediation | Upgrade MongoDB Server to version 7.0.34 or later for the v7.0 branch, 8.0.23 or later for the v8.0 branch, 8.2.9 or later for the v8.2 branch, or 8.3.2 or later for the v8.3 branch. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Mongodb Server
View allOut-of-bounds memory write in MongoDB Server's time-series collection feature enables arbitrary code execution by authen
MongoDB Server sharded clusters are vulnerable to use-after-free memory corruption when authenticated users with read pe
Remote unauthenticated denial-of-service in MongoDB Server's BSON validation layer allows attackers to crash the mongod
Pre-authentication denial-of-service in MongoDB Server allows unauthenticated remote clients to crash the database proce
Authenticated users can crash MongoDB Server by chaining specific server-side JavaScript operations ($_internalJsEmit or
Memory disclosure and denial-of-service in MongoDB Server allows any authenticated user with aggregate command privilege
MongoDB Server exposes an availability and data integrity risk allowing any low-privileged authenticated user to crash t
Remote denial-of-service in MongoDB Server allows an authenticated user to crash the mongod process by submitting an agg
Denial of service in MongoDB Server allows an authenticated user to crash the database process by issuing a geospatial q
Denial of service in MongoDB Server 8.0 allows authenticated users with aggregation pipeline privileges to crash the ser
Denial of service in MongoDB Server allows authenticated users to trigger an assertion failure by running aggregation pi
Denial of service in MongoDB Server allows authenticated remote attackers to crash the database process by submitting ag
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-29891
GHSA-595w-9635-gr7c