Description
The ldapQueryPassword parameter, when set through the runtime setParameter command, will log the new password to the mongod.log file in plain text.
Published: 2026-06-09
Score: 6.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows an attacker who can execute the runtime setParameter command to set ldapQueryPassword, resulting in the new password being written in plain text to mongod.log. This disclosure of credentials jeopardizes confidentiality.

Affected Systems

MongoDB Server is affected. No specific version information is provided, so all installations that could accept the runtime setParameter command and log ldapQueryPassword are potentially impacted.

Risk and Exploitability

The CVSS score of 6.8 indicates a moderate severity. EPSS is not available, and the vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred to require the ability to issue runtime setParameter commands, which typically implies privileged access or an exposed administrative interface. Once exploited, the attacker can read the log file to access plaintext passwords.

Generated by OpenCVE AI on June 10, 2026 at 01:32 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest MongoDB Server patch that addresses SERVER-123370.
  • Restrict use of the runtime setParameter command to trusted administrators and disable ldapQueryPassword configuration if it is not required.
  • Configure secure logging practices: enable log rotation, limit retention, and monitor logs for sensitive data entries.

Generated by OpenCVE AI on June 10, 2026 at 01:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 12 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Mongodb mongodb
CPEs cpe:2.3:a:mongodb:mongodb:*:*:*:*:*:*:*:*
Vendors & Products Mongodb mongodb

Wed, 10 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 10 Jun 2026 03:15:00 +0000

Type Values Removed Values Added
First Time appeared Mongodb
Mongodb mongodb Server
Vendors & Products Mongodb
Mongodb mongodb Server

Tue, 09 Jun 2026 23:00:00 +0000

Type Values Removed Values Added
Description The ldapQueryPassword parameter, when set through the runtime setParameter command, will log the new password to the mongod.log file in plain text.
Title Sensitive data could be written to mongod.log
Weaknesses CWE-532
References
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

cvssV4_0

{'score': 6.8, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Mongodb Mongodb Mongodb Server
cve-icon MITRE

Status: PUBLISHED

Assigner: mongodb

Published:

Updated: 2026-06-10T13:27:31.811Z

Reserved: 2026-05-27T17:48:24.554Z

Link: CVE-2026-9751

cve-icon Vulnrichment

Updated: 2026-06-10T13:27:22.710Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-09T23:17:04.643

Modified: 2026-06-12T20:43:58.123

Link: CVE-2026-9751

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T03:00:10Z

Weaknesses
  • CWE-532

    Insertion of Sensitive Information into Log File