Description
The MongoDB C Driver's Cyrus SASL integration performs unsafe string copying during username canonicalization, enabling a heap buffer overflow before any authentication or network traffic. This may be triggered by passing untrusted input in the username of a MongoDB URI with authMechanism=GSSAPI.
Published: 2026-05-06
Score: 8.6 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises in the MongoDB C Driver’s Cyrus SASL implementation, where unsafe string copying during username canonicalization can overflow a heap buffer. This occurs before any authentication or network traffic proceeds, so an attacker can trigger it simply by supplying crafted username data in a MongoDB URI that specifies GSSAPI authentication. If the overflow is exploited successfully, it can lead to arbitrary code execution on the system hosting the driver, compromising confidentiality, integrity, and availability of that machine.

Affected Systems

The flaw affects the MongoDB C Driver distributed by MongoDB Inc. No specific version information is available in the entry, but any release that has not applied the fix from database entry CDRIVER-6134 is at risk. The impact does not appear to be limited to a particular deployment scenario beyond usage of the driver in applications that process untrusted URIs.

Risk and Exploitability

The CVSS score of 8.6 indicates high severity and the risk of exploitation is significant, especially for systems that expose the driver to external input. Because no EPSS score is publicly available and the vulnerability is not listed in CISA KEV, the exploitation probability is unclear but potentially non-negligible. The likely attack vector is remote delivery of a malformed MongoDB URI containing a crafted GSSAPI username; the exploit requires only that the vulnerable driver processes the URI before authentication.

Generated by OpenCVE AI on May 6, 2026 at 16:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the MongoDB C Driver to the latest released version that includes the patch for CDRIVER-6134
  • If an immediate driver update is not feasible, disable or remove the GSSAPI authentication mechanism from the application configuration to prevent the canonicalization code from executing
  • Apply input validation or sanitization to any user‑supplied MongoDB URI, ensuring that usernames are properly escaped or bounded before passing them to the driver

Generated by OpenCVE AI on May 6, 2026 at 16:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 06 May 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 06 May 2026 15:30:00 +0000

Type Values Removed Values Added
Description The MongoDB C Driver's Cyrus SASL integration performs unsafe string copying during username canonicalization, enabling a heap buffer overflow before any authentication or network traffic. This may be triggered by passing untrusted input in the username of a MongoDB URI with authMechanism=GSSAPI.
Title MongoDB C Driver Cyrus SASL Canonicalization Buffer Overflow
Weaknesses CWE-120
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.6, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: mongodb

Published:

Updated: 2026-05-06T15:24:30.738Z

Reserved: 2026-04-20T16:17:41.724Z

Link: CVE-2026-6691

cve-icon Vulnrichment

Updated: 2026-05-06T15:24:26.254Z

cve-icon NVD

Status : Received

Published: 2026-05-06T16:16:11.483

Modified: 2026-05-06T16:16:11.483

Link: CVE-2026-6691

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-06T16:30:06Z

Weaknesses