Description
MongoDB server may log authentication parameters, including credentials, to the server log during SASL authentication. When connection health metric logging is enabled, the full authentication parameters are written to the log without redaction.
Published: 2026-06-09
Score: 6.8 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows MongoDB server logs to capture authentication parameters, including credentials, during SASL authentication when connection health metric logging is enabled. This leads to the unintentional exposure of sensitive credentials, creating a risk of unauthorized access to the MongoDB instance or other systems that can leverage the captured credentials. The weakness is a data exposure flaw, classified as CWE-532.

Affected Systems

Affected vendors include MongoDB for its MongoDB Server product. No specific version information is provided, so all deployed installations of MongoDB Server may be vulnerable until a patch or configuration change is applied.

Risk and Exploitability

The CVSS score is 6.8, indicating moderate severity, and the EPSS score is not available. The vulnerability is not listed in CISA KEV. The likely attack vector requires an attacker to have access to the server logs, which typically implies local or privilege‑assisted access. If an attacker can read the logs, they can obtain authentication credentials. The risk is considered moderate, but remediation is advised to prevent potential credential compromise.

Generated by OpenCVE AI on June 10, 2026 at 00:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Disable connection health metric logging to stop credentials from being written to logs
  • Restrict log file permissions so only trusted administrators can read them
  • Monitor log files for unauthorized access and apply any vendor patch as soon as it becomes available

Generated by OpenCVE AI on June 10, 2026 at 00:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 09 Jun 2026 23:00:00 +0000

Type Values Removed Values Added
Description MongoDB server may log authentication parameters, including credentials, to the server log during SASL authentication. When connection health metric logging is enabled, the full authentication parameters are written to the log without redaction.
Title Keyfile contents are in MongoDB Server logs
Weaknesses CWE-532
References
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

cvssV4_0

{'score': 6.8, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: mongodb

Published:

Updated: 2026-06-09T22:40:55.614Z

Reserved: 2026-05-27T17:26:51.759Z

Link: CVE-2026-9735

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-09T23:17:03.287

Modified: 2026-06-09T23:17:03.287

Link: CVE-2026-9735

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T00:30:17Z

Weaknesses