VYPR
← All advisories
Unrated severityNVD Advisory· Published Aug 6, 2019· Updated Aug 4, 2024

Authorization session conflation

CVE-2019-2386

Description

Improper session invalidation after user deletion in MongoDB allows authenticated sessions to persist if a username is reused, enabling unauthorized access.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Improper session invalidation after user deletion in MongoDB allows authenticated sessions to persist if a username is reused, enabling unauthorized access.

Vulnerability

MongoDB Server fails to properly invalidate authorization sessions when a user is deleted. If the same username is later recreated, an existing session that was not actively used after deletion can become conflated with the new account, granting the session holder the privileges of the recreated user. This affects MongoDB Server versions prior to 4.0.9, 3.6.13, and 3.4.22 [1][2].

Exploitation

An attacker must first have an active authenticated session as a user (e.g., via mongo shell). An administrator then deletes that user and later recreates a user with the same name. If the attacker does not attempt any action on the session between the deletion and recreation, the session remains valid and can be reused after the new user is created [1]. The attacker does not need to know the new user’s credentials.

Impact

A successful attack allows an attacker to regain access to the MongoDB server with the privileges assigned to the recreated user. This can lead to unauthorized reading, writing, or modification of data, depending on the roles assigned to the new account. The persistence of the session effectively compromises the intended revocation of access [1][2].

Mitigation

Upgrade to MongoDB Server versions 4.0.9, 3.6.13, or 3.4.22 respectively [1][2]. As a workaround, restart any nodes that may have had active user sessions after user deletion, and avoid creating user accounts with the same name as previously deleted accounts [2].

References
  1. TALOS-2019-0829 || Cisco Talos Intelligence Group
  2. jira.mongodb.org/browse/SERVER-38984

AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • MongoDB/Serverllm-fuzzy
    Range: >=3.4.0, <3.4.22; >=3.6.0, <3.6.13; >=4.0.0, <4.0.9
  • MongoDB Inc./MongoDB Serverv5
    Range: 4.0

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Improper invalidation of authorization sessions after user deletion allows a stale session to be reused if a user with the same name is recreated."

Attack vector

An attacker who already has an authenticated session as a user (e.g., "abc") can persist access after an administrator deletes that user, provided the attacker does not attempt any action on the session between deletion and recreation [ref_id=1]. If the administrator later recreates a user with the same name (even with a different password), the attacker's stale session becomes valid again and can be used to access database contents [ref_id=1]. The attack requires network access to the MongoDB server, prior authentication as the deleted user, and an administrator who reuses the deleted username [CWE-287].

Affected code

The advisory does not specify particular functions or files. The vulnerability exists in the session and authorization management subsystem of MongoDB Server versions prior to 4.0.9, 3.6.13, and 3.4.22 [ref_id=1].

What the fix does

The advisory does not include a patch diff, but the fix was released in MongoDB Server v4.0.9, v3.6.13, and v3.4.22 [ref_id=1]. The vendor's remediation ensures that when a user is deleted, all existing authorization sessions for that user are properly invalidated, preventing reuse even if a user with the same name is later created [ref_id=1]. The recommended workaround is to restart any nodes that may have had active sessions after user deletion and to avoid recreating accounts with the same name as deleted accounts.

Preconditions

  • authAttacker must have an established authenticated session as a user who will later be deleted
  • configAdministrator must delete the user and later recreate a user with the same username
  • inputNo activity may be attempted on the attacker's session between user deletion and recreation
  • networkNetwork access to the MongoDB server is required

Reproduction

Using the mongo shell utility, an administrator creates user "abc", an attacker connects as "abc", the administrator drops user "abc", then recreates user "abc" (possibly with a different password). The attacker's original session can then execute queries such as `db.test.findOne()` without re-authenticating [ref_id=1].

Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

2

News mentions

0

No linked articles in our index yet.