Skip to main content

MongoDB Server EUVDEUVD-2026-29891

| CVE-2026-8200 MEDIUM
Insertion of Sensitive Information into Log File (CWE-532)
2026-05-13 mongodb GHSA-595w-9635-gr7c
4.8
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
4.8 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
P
Scope
X

Lifecycle Timeline

5
Severity Changed
May 13, 2026 - 15:52 NVD
LOW MEDIUM
CVSS changed
May 13, 2026 - 15:52 NVD
2.7 (LOW) 4.8 (MEDIUM)
Patch available
May 13, 2026 - 01:17 EUVD
Analysis Generated
May 13, 2026 - 01:15 vuln.today
CVE Published
May 13, 2026 - 00:08 nvd
LOW 2.7

DescriptionCVE.org

When schema validation is enabled on a collection and an update or insert would violate the collection's schema, the local server log message generated may not have all user data redacted.

This issue impacts MongoDB Server v7.0 versions prior to 7.0.34, v8.0 versions prior to 8.0.23, v8.2 versions prior to 8.2.9 and v8.3 versions prior to 8.3.2.

AnalysisAI

MongoDB Server fails to fully redact user data in local server log messages when schema validation is enabled and an update or insert operation violates the collection schema, allowing authenticated administrators to access sensitive information through log inspection. This information disclosure affects MongoDB Server 7.0 prior to 7.0.34, 8.0 prior to 8.0.23, 8.2 prior to 8.2.9, and 8.3 prior to 8.3.2. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain MongoDB admin credentials
Delivery
Enable schema validation on target collection
Exploit
Submit write operation violating schema
Execution
Inspect local server logs
Impact
Extract unredacted user data from validation error messages

Vulnerability AssessmentAI

Exploitation Exploitation requires the following specific conditions: (1) Schema validation must be explicitly enabled on at least one collection in the MongoDB instance (this is not the default state), (2) the attacker must possess MongoDB administrative credentials (PR:H in CVSS vector) to execute write operations and access logs, (3) an insert or update operation must be executed that violates the defined schema constraints to trigger the logging path, and (4) the attacker must have filesystem or application-level access to read MongoDB server log files. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment This vulnerability presents minimal real-world risk despite confirmed patch availability. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An authenticated MongoDB administrator with high-privilege credentials intentionally inserts or updates a document that violates an enabled collection schema constraint, causing MongoDB to log the validation error. The administrator then inspects the local MongoDB server logs and discovers that user data (such as field values, schema definitions, or error context) was not fully redacted in the error message, revealing sensitive information that should have been masked. …
Remediation Upgrade MongoDB Server to version 7.0.34 or later for the v7.0 branch, 8.0.23 or later for the v8.0 branch, 8.2.9 or later for the v8.2 branch, or 8.3.2 or later for the v8.3 branch. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-8053 HIGH
8.7 May 12

Out-of-bounds memory write in MongoDB Server's time-series collection feature enables arbitrary code execution by authen

CVE-2026-4148 HIGH
8.7 Mar 17

MongoDB Server sharded clusters are vulnerable to use-after-free memory corruption when authenticated users with read pe

CVE-2026-9740 HIGH
8.7 Jun 09

Remote unauthenticated denial-of-service in MongoDB Server's BSON validation layer allows attackers to crash the mongod

CVE-2026-9742 HIGH
8.2 Jun 09

Pre-authentication denial-of-service in MongoDB Server allows unauthenticated remote clients to crash the database proce

CVE-2026-8336 HIGH
7.7 May 13

Authenticated users can crash MongoDB Server by chaining specific server-side JavaScript operations ($_internalJsEmit or

CVE-2026-9753 HIGH
7.2 Jun 09

Memory disclosure and denial-of-service in MongoDB Server allows any authenticated user with aggregate command privilege

CVE-2026-9750 HIGH
7.1 Jun 09

MongoDB Server exposes an availability and data integrity risk allowing any low-privileged authenticated user to crash t

CVE-2026-9748 HIGH
7.1 Jun 09

Remote denial-of-service in MongoDB Server allows an authenticated user to crash the mongod process by submitting an agg

CVE-2026-9752 HIGH
7.1 Jun 09

Denial of service in MongoDB Server allows an authenticated user to crash the database process by issuing a geospatial q

CVE-2026-9743 HIGH
7.1 Jun 09

Denial of service in MongoDB Server 8.0 allows authenticated users with aggregation pipeline privileges to crash the ser

CVE-2026-9749 HIGH
7.1 Jun 09

Denial of service in MongoDB Server allows authenticated users to trigger an assertion failure by running aggregation pi

CVE-2026-9747 HIGH
7.1 Jun 09

Denial of service in MongoDB Server allows authenticated remote attackers to crash the database process by submitting ag

Share

EUVD-2026-29891 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy