CVE-2026-9742
published 2026-06-09CVE-2026-9742: When OIDC authentication is enabled in configuration, clients may set specific values in the "mechanism" parameter of the "authenticate" command that lead to…
PriorityP345high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
0.35%
26.5th percentile
When OIDC authentication is enabled in configuration, clients may set specific values in the "mechanism" parameter of the "authenticate" command that lead to server crash. The authenticate command is accessible to unauthenticated clients, leading to pre-auth denial-of-service in affected product configurations.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| mongodb | mongodb_server | >= 8.2.0 < 8.2.10 | 8.2.10 |
| mongodb | mongodb_server | >= 8.3.0 < 8.3.3 | 8.3.3 |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
nvdv4.08.2HIGHCVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
MongoDB Server up to 8.2.9/8.3.2 mechanism improper validation of specified type of input (Nessus ID 320841)
vuldb·2026-06-13·CVSS 7.5
CVE-2026-9742 [HIGH] MongoDB Server up to 8.2.9/8.3.2 mechanism improper validation of specified type of input (Nessus ID 320841)
A vulnerability identified as problematic has been detected in MongoDB Server up to 8.2.9/8.3.2. This issue affects some unknown processing. This manipulation of the argument mechanism causes improper validation of specified type of input.
The identification of this vulnerability is CVE-2026-9742. It is possible to initiate the attack remotely. There is no exploit available.
You should upgrade the affected component.
GHSA
When OIDC authentication is enabled in configuration, clients may set specific values in the "mechanism" parameter of the "authenticate" command that lead to server crash.
ghsa_unreviewed·2026-06-10
CVE-2026-9742 [HIGH] CWE-1287 When OIDC authentication is enabled in configuration, clients may set specific values in the "mechanism" parameter of the "authenticate" command that lead to server crash.
When OIDC authentication is enabled in configuration, clients may set specific values in the "mechanism" parameter of the "authenticate" command that lead to server crash. The authenticate command is accessible to unauthenticated clients, leading to pre-auth denial-of-service in affected product configurations.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-06-09
Published