CVE-2026-9742

Summary

When OIDC authentication is enabled in configuration, clients may set specific values in the "mechanism" parameter of the "authenticate" command that lead to server crash. The authenticate command is accessible to unauthenticated clients, leading to pre-auth denial-of-service in affected product configurations.

Affected Software

VendorProductVersion RangeStatus
MongoDBMongoDB Server8.3.0 < 8.3.3affected
MongoDBMongoDB Server8.2.0 < 8.2.10affected

Weaknesses

  • CWE-1287: CWE-1287 Improper validation of specified type of input

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References