Description
When schema validation is enabled on a collection and an update or insert would violate the collection's schema, the local server log message generated may not have all user data redacted. 


This issue impacts MongoDB Server v7.0 versions prior to 7.0.34, v8.0 versions prior to 8.0.23, v8.2 versions prior to 8.2.9 and v8.3 versions prior to 8.3.2.
Published: 2026-05-13
Score: 4.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability occurs when schema validation is enabled on a MongoDB collection and an attempted update or insert violates the schema. In this scenario, the server logs a message containing the offending data. The logged message may retain unredacted user information, potentially exposing sensitive data to anyone with access to the logs. This constitutes a data leakage issue classified as CWE-532.

Affected Systems

MongoDB Server versions before 7.0.34, before 8.0.23, before 8.2.9 and before 8.3.2 are affected and need to be upgraded.

Risk and Exploitability

The CVSS score is 4.8, reflecting a moderate risk. EPSS is not available and the vulnerability is not in the CISA KEV catalog. The likely attack vector is an application or administrator that can submit documents that violate the schema; the attacker can then read the unredacted logs via local log access. Because the issue is contained to local log files, remote exploitation is unlikely, but any breach of the logs could expose sensitive data.

Generated by OpenCVE AI on May 13, 2026 at 01:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade MongoDB Server to at least 7.0.34, 8.0.23, 8.2.9, or 8.3.2 depending on your current release.
  • If an upgrade is not immediately feasible, restrict write privileges to collections with schema validation and ensure that application-level sanitization removes sensitive information before writes.
  • Audit and review server logs to confirm that validation error messages no longer contain user data; configure log filtering or masking if necessary.
  • As a last resort, disable schema validation temporarily while remediation is performed, but only if the risk of unredacted logs is deemed unacceptable.

Generated by OpenCVE AI on May 13, 2026 at 01:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 18 May 2026 13:15:00 +0000

Type Values Removed Values Added
First Time appeared Mongodb mongodb
CPEs cpe:2.3:a:mongodb:mongodb:*:*:*:*:*:*:*:*
Vendors & Products Mongodb mongodb

Wed, 13 May 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 13 May 2026 02:30:00 +0000

Type Values Removed Values Added
First Time appeared Mongodb
Mongodb mongodb Server
Vendors & Products Mongodb
Mongodb mongodb Server

Wed, 13 May 2026 00:30:00 +0000

Type Values Removed Values Added
Description When schema validation is enabled on a collection and an update or insert would violate the collection's schema, the local server log message generated may not have all user data redacted.  This issue impacts MongoDB Server v7.0 versions prior to 7.0.34, v8.0 versions prior to 8.0.23, v8.2 versions prior to 8.2.9 and v8.3 versions prior to 8.3.2.
Title Schema validation log messages may not redact user data
Weaknesses CWE-532
References
Metrics cvssV3_1

{'score': 2.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N'}

cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N'}

Subscriptions

Mongodb Mongodb Mongodb Server
cve-icon MITRE

Status: PUBLISHED

Assigner: mongodb

Published:

Updated: 2026-05-13T14:31:27.118Z

Reserved: 2026-05-08T23:42:04.192Z

Link: CVE-2026-8200

cve-icon Vulnrichment

Updated: 2026-05-13T14:31:22.403Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-13T04:17:41.700

Modified: 2026-05-18T13:01:44.210

Link: CVE-2026-8200

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-13T02:15:30Z

Weaknesses