Description
An authorization flaw in the user management command could allow an authenticated user to make limited changes to authentication-related data associated with another user account. This could affect how authentication is performed for the impacted account.
Published: 2026-04-29
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in the updateUser command allows an authenticated user to alter authentication‑related information of another user account, potentially changing how that account authenticates. The vulnerability can lead to unauthorized configuration changes that may compromise account security, though it does not directly enable remote code execution or full privilege escalation.

Affected Systems

MongoDB Server is impacted. No specific version information is disclosed, so all deployed instances of MongoDB Server fall under this advisory.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity, and the EPSS score of < 1% suggests a low probability of exploitation based on publicly available data. The vulnerability is not listed in the CISA KEV catalog. Attackers must first authenticate to the system; the flaw is exploitable only by users with legitimate access to the updateUser command. Since the risk involves partial control over authentication data, the threat level is moderate and primarily relevant to environments where user isolation and strict privilege separation are not enforced.

Generated by OpenCVE AI on May 8, 2026 at 13:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official MongoDB patch that resolves the updateUser authorization flaw
  • Restrict the updateUser command to a minimal set of privileged administrators and revoke it from general user roles
  • Enable audit logging for all user management operations to detect unauthorized changes
  • Review and enforce least privilege policies so that users cannot tangibly modify authentication data belonging to other accounts

Generated by OpenCVE AI on May 8, 2026 at 13:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 08 May 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-266
References
Metrics threat_severity

None

 threat_severity

Moderate

Wed, 06 May 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Mongodb mongodb
CPEs cpe:2.3:a:mongodb:mongodb:*:*:*:*:-:*:*:*
Vendors & Products Mongodb mongodb

Wed, 29 Apr 2026 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Mongodb
Mongodb mongodb Server
Vendors & Products Mongodb
Mongodb mongodb Server

Wed, 29 Apr 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 29 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Description An authorization flaw in the user management command could allow an authenticated user to make limited changes to authentication-related data associated with another user account. This could affect how authentication is performed for the impacted account.
Title Flaw in the updateUser Command May Allow Unauthorized Configuration Change
Weaknesses CWE-1284
References
Metrics cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Mongodb Mongodb Mongodb Server
cve-icon MITRE

Status: PUBLISHED

Assigner: mongodb

Published:

Updated: 2026-04-29T17:49:18.851Z

Reserved: 2026-04-23T14:59:47.210Z

Link: CVE-2026-6915

cve-icon Vulnrichment

Updated: 2026-04-29T17:49:15.396Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-29T17:16:41.397

Modified: 2026-05-06T20:08:44.997

Link: CVE-2026-6915

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-29T16:51:01Z

Links: CVE-2026-6915 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-08T14:00:10Z

Weaknesses