CVEFinder.io

CVE-2026-9742

⚠️ high
🔍 Scan for this CVE
Summary

When OIDC authentication is enabled in configuration, clients may set specific values in the "mechanism" parameter of the "authenticate" command that lead to server crash. The authenticate command is accessible to unauthenticated clients, leading to pre-auth denial-of-service in affected product configurations.

CVSS Score
7.5
High
EPSS Score
0.4
Exploit Probability
Published Date
2026-06-09
First Seen: 2026-06-10
📊 Relative Risk Intelligence

This CVE is Moderate Risk - more severe than 68.9% of all 329,456 vulnerabilities in our database.

#102,448
Above average severity
Severity Percentile
🎯 CISA SSVC Assessment Updated: Jun 10, 2026
🔍 Exploitation Status
None
No known exploits
⚙️ Automatable
NO
Requires human interaction
💥 Technical Impact
Partial
Limited system impact
SSVC data provided by CISA
Last Modified 2026-06-18
Source NVD 🔗
CVSS Vector 3.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVSS Vector 4.0 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CWE IDs (Weakness Types)
CWE-1287

📦 Affected Products 2

Vendor Product Status Affected Versions
mongodb mongodb Affected
> 8.2.0 < 8.2.10
mongodb mongodb Affected
> 8.3.0 < 8.3.3

🔗 References 1

https://jira.mongodb.org/browse/SERVER-124183
Patch Vendor Advisory Issue Tracking

🔗 Related CVEs 6

CVE ID Severity CVSS EPSS Summary Published
CVE-2026-11933 ⚠️ high 8.8 0.4 A use-after-free vulnerability exists in MongoDB Server's server-side JavaScript engine when converting BSON documents t... 2026-06-12
CVE-2026-9735 🔶 medium 5.5 0.1 MongoDB server may log authentication parameters, including credentials, to the server log during SASL authentication. W... 2026-06-09
CVE-2026-9740 ⚠️ high 7.5 0.3 A vulnerability in MongoDB Server's BSON validation logic allows an unauthenticated user to crash the mongod process by ... 2026-06-09
CVE-2026-9741 🔶 medium 6.5 0.1 A bug in query analysis processing of the $vectorSearch aggregation stage for Queryable Encryption (QE) or Client-Side F... 2026-06-09
CVE-2026-9743 🔶 medium 6.5 0.2 In MongoDB Server 8.0, an aggregation stage can leave its _subPipeline field null during processing of certain pipelines... 2026-06-09
CVE-2026-9746 🔶 medium 6.5 0.3 When using $changestreams and $_requestReshardingResumeToken with the exchange option the server hits an invariant which... 2026-06-09
These CVEs affect the same products