Severity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from Vendor (mongodb) · only source for this CVE.
CVSS VectorVendor: mongodb
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
MongoDB server may log authentication parameters, including credentials, to the server log during SASL authentication. When connection health metric logging is enabled, the full authentication parameters are written to the log without redaction.
AnalysisAI
MongoDB Server leaks SASL authentication credentials into plaintext server logs when connection health metric logging is enabled, exposing database passwords to any local actor with log file read access. The flaw (CWE-532) affects all versions per the available CPE data and was self-disclosed by MongoDB, indicating a vendor-acknowledged issue without a confirmed patch version at time of analysis. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Two explicit conditions must both be satisfied: (1) connection health metric logging must be enabled on the MongoDB server - this is the specific non-default configuration setting that triggers unredacted credential writes to the log, and deployments where this feature is not enabled are not affected by this code path; (2) the attacker must have local OS-level access to the server host with at least low-privilege read permissions on the MongoDB log files, consistent with the CVSS 4.0 vector PR:L and AV:L. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 score of 6.8 with vector AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N reflects a locally-exploitable, low-complexity credential disclosure with high confidentiality impact confined to the vulnerable system (SC:N/SI:N/SA:N confirms no lateral scope change). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with a low-privileged foothold on the MongoDB host - such as a compromised application service account or a malicious insider - navigates to the MongoDB log directory and reads the server log, which contains plaintext SASL authentication parameters written during client connection events. The attacker extracts the credential material and uses it to authenticate directly to the MongoDB instance with the privileges of the logged account, gaining unauthorized read access to all databases accessible by those credentials. … |
| Remediation | No vendor-released patched version has been independently confirmed - the only available reference is MongoDB Jira ticket SERVER-126506 (https://jira.mongodb.org/browse/SERVER-126506), which should be monitored for patch release details and an official advisory with exact fix versions. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Mongodb Server
View allOut-of-bounds memory write in MongoDB Server's time-series collection feature enables arbitrary code execution by authen
MongoDB Server sharded clusters are vulnerable to use-after-free memory corruption when authenticated users with read pe
Remote unauthenticated denial-of-service in MongoDB Server's BSON validation layer allows attackers to crash the mongod
Pre-authentication denial-of-service in MongoDB Server allows unauthenticated remote clients to crash the database proce
Authenticated users can crash MongoDB Server by chaining specific server-side JavaScript operations ($_internalJsEmit or
Memory disclosure and denial-of-service in MongoDB Server allows any authenticated user with aggregate command privilege
MongoDB Server exposes an availability and data integrity risk allowing any low-privileged authenticated user to crash t
Remote denial-of-service in MongoDB Server allows an authenticated user to crash the mongod process by submitting an agg
Denial of service in MongoDB Server allows an authenticated user to crash the database process by issuing a geospatial q
Denial of service in MongoDB Server 8.0 allows authenticated users with aggregation pipeline privileges to crash the ser
Denial of service in MongoDB Server allows authenticated users to trigger an assertion failure by running aggregation pi
Denial of service in MongoDB Server allows authenticated remote attackers to crash the database process by submitting ag
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35856
GHSA-93h4-p6c6-58pw