HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-9742Published Modified CNA mongodb

CVE-2026-9742: Authenticate command with specific mechanism parameter can trigger server crash

When OIDC authentication is enabled in configuration, clients may set specific values in the "mechanism" parameter of the "authenticate" command that lead to server crash. The authenticate command is accessible to unauthenticated clients, leading to pre-auth denial-of-service in affected product configurations.

Metrics

CVSS v4.0
8.2
Severity
HIGH
Fixed in
8.2.10
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A pre-authentication denial-of-service vulnerability affects MongoDB Server versions 8.2.0 through 8.2.9 and 8.3.0 through 8.3.2 when OIDC authentication is enabled. An unauthenticated remote attacker can send a crafted "mechanism" parameter value in the "authenticate" command, triggering a server crash without any prior login. Successful exploitation brings down the MongoDB process, making the database unavailable to all connected applications. Patched-image rebuilds at versions 8.2.10 and 8.3.3 are available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection of CVE-2026-9742 is available across every HarborGuard environment, with the CVE matched against images in customer registries and CI/CD pipelines within minutes of publication from upstream feeds, including custom-built images that bundle MongoDB Server.

Available
Triage

HarborGuard is capable of scoring this CVE at CVSS 8.2 (High) and weighting it against each environment's compliance policy to prioritize alerts; per-org routing ensures the finding lands in the right team inbox without manual triage overhead.

Available
Patch

A patched-image rebuild at MongoDB Server 8.2.10 or 8.3.3 is available on HarborGuard for any environment running an affected version. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the MongoDB Server's listen port over the network; any host with TCP access to the port can send the malicious authenticate command.

  • AuthenticationNot required

    The authenticate command is accessible to unauthenticated clients, so no credentials or account of any kind are needed before triggering the crash.

  • Victim interactionNot required

    No user or administrator action is needed; the attacker sends the crafted command directly to the server without any social-engineering step.

  • Attack complexityDetail

    The CVSS vector notes an attack requirement of Partial (AT:P), meaning the vulnerable OIDC code path is only reachable when OIDC authentication is explicitly enabled in the server configuration, though no other environmental condition must be timed or manipulated.

Blast Radius

  • Crashes the MongoDB Server process, taking the database offline and blocking all read and write operations until the service is manually or automatically restarted.
  • Any application or service that depends on the affected MongoDB instance loses its database connection for the duration of the outage.
  • Repeated unauthenticated requests can be used to sustain a crash loop, preventing operators from restoring service without first mitigating network access to the port.

How HarborGuard Handles This

Available on HarborGuard: images containing MongoDB Server in the affected 8.2.x and 8.3.x ranges are flagged automatically within minutes of CVE ingestion. For customers who opt into auto-remediation, HarborGuard rebuilds the image at the patched version (8.2.10 or 8.3.3 depending on the installed branch), runs a regression test run, and opens a pull request against affected workloads; the median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled. Where compliance policy does not permit auto-remediation, the finding is routed to the appropriate team inbox with CVSS severity weighting applied. Because exploitation requires OIDC to be enabled, customers who cannot patch immediately may reduce exposure by verifying whether OIDC is in use and, where it is not, confirming it remains disabled; where OIDC is required, network-policy controls that restrict MongoDB port access to known application-tier sources limit the set of hosts that can send unauthenticated authenticate commands.

See how HarborGuard automates this

Fix available

8.2.108.3.3
Affected packages
  • MongoDB / MongoDB Server
    < 8.3.3 (from 8.3.0) · < 8.2.10 (from 8.2.0)
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
References