CVE-2026-9742

HIGH EPSS 26.5%

Published Jun 9, 20262w ago · Modified Jun 18, 20261w ago

8.2 CVSS 4.0

High

Published Jun 9, 2026 2w ago

Last Modified Jun 18, 2026 1w ago

Description

When OIDC authentication is enabled in configuration, clients may set specific values in the "mechanism" parameter of the "authenticate" command that lead to server crash. The authenticate command is accessible to unauthenticated clients, leading to pre-auth denial-of-service in affected product configurations.

CVSS Details

Base Score

8.2

Exploitability

—

Impact

—

Vector string

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector Network

Attack Complexity Low

Privileges Required None

User Interaction None

Scope X

Threat Intelligence

EPSS Exploit Probability

26.5% percentile

Exploit & Patch Status

No Known Exploit

Patch Available

Weaknesses 1

CWE-1287

Affected Products 2

Vendor	Product	Version	Range
mongodb	mongodb	*	≥8.2.0 – <8.2.10
mongodb	mongodb	*	≥8.3.0 – <8.3.3

References 1

jira.mongodb.org https://jira.mongodb.org/browse/SERVER-124183

PatchVendor AdvisoryIssue Tracking

Remediation

jira.mongodb.org https://jira.mongodb.org/browse/SERVER-124183

PatchVendor AdvisoryIssue Tracking