CVE-2026-9742 | THREATINT

Description

When OIDC authentication is enabled in configuration, clients may set specific values in the "mechanism" parameter of the "authenticate" command that lead to server crash. The authenticate command is accessible to unauthenticated clients, leading to pre-auth denial-of-service in affected product configurations.

PUBLISHED Reserved 2026-05-27 | Published 2026-06-09 | Updated 2026-06-10 | Assigner mongodb

HIGH: 8.2CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

HIGH: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Problem types

CWE-1287 Improper validation of specified type of input

Product status

Default status

unaffected

8.3.0 (custom) before 8.3.3

affected

8.2.0 (custom) before 8.2.10

affected

References

jira.mongodb.org/browse/SERVER-124183

cve.org (CVE-2026-9742)

nvd.nist.gov (CVE-2026-9742)

Download JSON