Description
The bson_validate function may return early on specific inputs and incorrectly report success. This behavior could result in skipping validation for BSON data, allowing malformed or invalid UTF-8 sequences to bypass validation and be processed incorrectly. The issue may affect applications that rely on these functions to validate untrusted BSON data before further processing. This issue affects MongoDB C Driver versions prior to 1.30.5, MongoDB C Driver version 2.0.0 and MongoDB C Driver version 2.0.1
Published: 2026-04-13
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The bson_validate function in the MongoDB C Driver may prematurely return success on specific inputs, causing malformed BSON documents—including those containing invalid UTF-8 sequences—to bypass validation. This input validation weakness allows malicious or corrupt data to be silently accepted and subsequently processed by applications, potentially resulting in crashes, undefined behavior, or other errors when the data is used.

Affected Systems

MongoDB Inc. C Driver is affected for all releases before version 1.30.5, as well as the 2.0.0 and 2.0.1 releases. Any application that relies on these driver versions and validates untrusted BSON through bson_validate is at risk.

Risk and Exploitability

The CVSS score of 5.3 categorizes the issue as moderate. The EPSS score of < 1% indicates a very low exploitation probability, and the vulnerability is not listed in CISA’s KEV catalog. Based on the description, it is inferred that the likely attack vector involves supplying crafted BSON payloads to applications that ingest external data—such as network services or file import functionality—thereby forcing the application to process corrupted input without proper validation.

Generated by OpenCVE AI on May 6, 2026 at 19:31 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade MongoDB C Driver to version 1.30.5 or later, or to any 2.0.x release after 2.0.1.
  • If an immediate update is not feasible, implement application‑level checks to validate BSON content and reject documents that fail manual UTF‑8 or structural validation before passing them to the driver.
  • Apply size restrictions or sanity checks on incoming BSON data to limit the processing of excessively large or malformed documents before passing them to bson_validate.

Generated by OpenCVE AI on May 6, 2026 at 19:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 06 May 2026 17:15:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:a:mongodb:c_driver:*:*:*:*:*:mongodb:*:*

Tue, 14 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Mongodb
Mongodb c Driver
Vendors & Products Mongodb
Mongodb c Driver

Mon, 13 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 13 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
Description The bson_validate function may return early on specific inputs and incorrectly report success. This behavior could result in skipping validation for BSON data, allowing malformed or invalid UTF-8 sequences to bypass validation and be processed incorrectly. The issue may affect applications that rely on these functions to validate untrusted BSON data before further processing. This issue affects MongoDB C Driver versions prior to 1.30.5, MongoDB C Driver version 2.0.0 and MongoDB C Driver version 2.0.1
Title bson_validate may skip validation when processing certain inputs
Weaknesses CWE-20
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Mongodb C Driver
cve-icon MITRE

Status: PUBLISHED

Assigner: mongodb

Published:

Updated: 2026-04-13T19:23:42.752Z

Reserved: 2026-04-13T15:19:17.273Z

Link: CVE-2026-6231

cve-icon Vulnrichment

Updated: 2026-04-13T19:23:38.604Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-13T16:16:36.570

Modified: 2026-05-06T17:05:47.720

Link: CVE-2026-6231

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-06T19:45:10Z

Weaknesses