Description
When OIDC authentication is enabled in configuration, clients may set specific values in the "mechanism" parameter of the "authenticate" command that lead to server crash. The authenticate command is accessible to unauthenticated clients, leading to pre-auth denial-of-service in affected product configurations.
Published: 2026-06-09
Score: 8.2 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An OIDC configuration vulnerability allows clients to supply specially crafted values in the "mechanism" parameter of the "authenticate" command, causing MongoDB Server to crash. The flaw is triggered by the authenticate command, which is available to unauthenticated clients, resulting in a pre‑authentication denial‑of‑service that can halt the database service and disrupt availability for any affected system.

Affected Systems

MongoDB:MongoDB Server is affected. Version details are not supplied in the current data, so all releases that enable OIDC authentication via configuration may be impacted.

Risk and Exploitability

The CVSS score of 8.2 indicates a high severity of the vulnerability. No EPSS score is available, so the statistical probability of exploitation cannot be quantified from the data. The flaw is not listed in CISA’s KEV catalog. Attackers only need to interact with the unauthenticated "authenticate" command, which is exposed on the MongoDB Server interface; no special privileges or authentication are required. Once a malformed "mechanism" value is accepted, the server crashes, interrupting service availability.

Generated by OpenCVE AI on June 9, 2026 at 23:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest official MongoDB Server patch that addresses the crash caused by malformed "mechanism" values in the OIDC "authenticate" command
  • If a patch is not immediately available, temporarily disable OIDC authentication in the configuration to prevent the vulnerable command from being invoked
  • Restrict access to the MongoDB port so only trusted internal hosts or network segments can send authentication requests, reducing the attack surface for unauthenticated clients

Generated by OpenCVE AI on June 9, 2026 at 23:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 01:30:00 +0000

Type Values Removed Values Added
First Time appeared Mongodb
Mongodb mongodb Server
Vendors & Products Mongodb
Mongodb mongodb Server

Tue, 09 Jun 2026 22:30:00 +0000

Type Values Removed Values Added
Description When OIDC authentication is enabled in configuration, clients may set specific values in the "mechanism" parameter of the "authenticate" command that lead to server crash. The authenticate command is accessible to unauthenticated clients, leading to pre-auth denial-of-service in affected product configurations.
Title Authenticate command with specific mechanism parameter can trigger server crash
Weaknesses CWE-1287
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

cvssV4_0

{'score': 8.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Mongodb Mongodb Server
cve-icon MITRE

Status: PUBLISHED

Assigner: mongodb

Published:

Updated: 2026-06-09T21:57:46.304Z

Reserved: 2026-05-27T17:34:08.786Z

Link: CVE-2026-9742

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-09T23:17:03.727

Modified: 2026-06-09T23:17:03.727

Link: CVE-2026-9742

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T01:15:18Z

Weaknesses