Description
The bson_validate function may return early on specific inputs and incorrectly report success. This behavior could result in skipping validation for BSON data, allowing malformed or invalid UTF-8 sequences to bypass validation and be processed incorrectly. The issue may affect applications that rely on these functions to validate untrusted BSON data before further processing. This issue affects MongoDB C Driver versions prior to 1.30.5, MongoDB C Driver version 2.0.0 and MongoDB C Driver version 2.0.1
Published: 2026-04-13
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Inadequate BSON validation leading to processing of malformed or invalid UTF-8 data
Action: Update Driver
AI Analysis

Impact

The bson_validate function in the MongoDB C Driver may prematurely return success on specific inputs, which causes malformed BSON documents—including those containing invalid UTF-8 sequences—to bypass validation. This flaw is an input validation weakness that allows malicious or corrupt data to be silently accepted and subsequently processed by applications, potentially leading to crashes, undefined behavior, or other errors when the data is used.

Affected Systems

MongoDB Inc. C Driver is affected for all releases before version 1.30.5, as well as the 2.0.0 and 2.0.1 releases. Any application that relies on these driver versions and validates untrusted BSON through bson_validate is at risk.

Risk and Exploitability

The CVSS score of 5.3 categorizes the issue as moderate. No EPSS score is available, and the vulnerability is not listed in CISA’s KEV catalog, suggesting the likelihood of widespread exploitation is unclear. However, the defect may be exploited by attackers who can supply crafted BSON payloads to applications that ingest external data—such as network services or file import functionality—thereby forcing the application to process corrupted input without proper validation.

Generated by OpenCVE AI on April 13, 2026 at 18:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade MongoDB C Driver to version 1.30.5 or later, or to any 2.0.x release after 2.0.1.
  • If an immediate update is not feasible, implement application‑level checks to validate BSON content and reject documents that fail manual UTF‑8 or structural validation before passing them to the driver.

Generated by OpenCVE AI on April 13, 2026 at 18:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 14 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Mongodb
Mongodb c Driver
Vendors & Products Mongodb
Mongodb c Driver

Mon, 13 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 13 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
Description The bson_validate function may return early on specific inputs and incorrectly report success. This behavior could result in skipping validation for BSON data, allowing malformed or invalid UTF-8 sequences to bypass validation and be processed incorrectly. The issue may affect applications that rely on these functions to validate untrusted BSON data before further processing. This issue affects MongoDB C Driver versions prior to 1.30.5, MongoDB C Driver version 2.0.0 and MongoDB C Driver version 2.0.1
Title bson_validate may skip validation when processing certain inputs
Weaknesses CWE-20
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Mongodb C Driver
cve-icon MITRE

Status: PUBLISHED

Assigner: mongodb

Published:

Updated: 2026-04-13T19:23:42.752Z

Reserved: 2026-04-13T15:19:17.273Z

Link: CVE-2026-6231

cve-icon Vulnrichment

Updated: 2026-04-13T19:23:38.604Z

cve-icon NVD

Status : Received

Published: 2026-04-13T16:16:36.570

Modified: 2026-04-13T16:16:36.570

Link: CVE-2026-6231

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:34:11Z

Weaknesses