CVE-2026-9735

Vulnerability

MongoDB server versions prior to 7.0.10, 6.0.14, 5.0.28, and 4.4.28 may log sensitive authentication parameters, including credentials, to the server log during SASL authentication. This occurs specifically when connection health metric logging is enabled, leading to unredacted logging of these parameters [1].

Exploitation

An attacker with access to the MongoDB server logs can exploit this vulnerability. The vulnerability is triggered automatically when connection health metric logging is enabled and SASL authentication is performed. No specific user interaction or network access beyond log access is required for exploitation.

Impact

Successful exploitation allows an attacker who can access the server logs to obtain sensitive authentication credentials, such as usernames and passwords. This could lead to unauthorized access to the MongoDB database and potential compromise of the data stored within it.

Mitigation

This vulnerability is fixed in MongoDB versions 7.0.10, 6.0.14, 5.0.28, and 4.4.28. Users are advised to upgrade to these or later versions. No workarounds are specified in the available references, and the vulnerability is not listed as actively exploited in the wild.