Description
The ldapQueryPassword parameter, when set through the runtime setParameter command, will log the new password to the mongod.log file in plain text.
Published: 2026-06-09
Score: 6.8 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows an attacker who can execute the runtime setParameter command to set ldapQueryPassword, resulting in the new password being written in plain text to mongod.log. This disclosure of credentials jeopardizes confidentiality.

Affected Systems

MongoDB Server is affected. No specific version information is provided, so all installations that could accept the runtime setParameter command and log ldapQueryPassword are potentially impacted.

Risk and Exploitability

The CVSS score of 6.8 indicates a moderate severity. EPSS is not available, and the vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred to require the ability to issue runtime setParameter commands, which typically implies privileged access or an exposed administrative interface. Once exploited, the attacker can read the log file to access plaintext passwords.

Generated by OpenCVE AI on June 10, 2026 at 01:32 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest MongoDB Server patch that addresses SERVER-123370.
  • Restrict use of the runtime setParameter command to trusted administrators and disable ldapQueryPassword configuration if it is not required.
  • Configure secure logging practices: enable log rotation, limit retention, and monitor logs for sensitive data entries.

Generated by OpenCVE AI on June 10, 2026 at 01:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 09 Jun 2026 23:00:00 +0000

Type Values Removed Values Added
Description The ldapQueryPassword parameter, when set through the runtime setParameter command, will log the new password to the mongod.log file in plain text.
Title Sensitive data could be written to mongod.log
Weaknesses CWE-532
References
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

cvssV4_0

{'score': 6.8, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: mongodb

Published:

Updated: 2026-06-09T22:24:25.193Z

Reserved: 2026-05-27T17:48:24.554Z

Link: CVE-2026-9751

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-09T23:17:04.643

Modified: 2026-06-09T23:17:04.643

Link: CVE-2026-9751

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T01:45:18Z

Weaknesses