{"document":{"category":"csaf_vex","csaf_version":"2.0","title":"CVE-2026-9742: Authenticate command with specific mechanism parameter can trigger server crash","publisher":{"category":"vendor","name":"HarborGuard Database","namespace":"https://database.harborguard.co"},"tracking":{"id":"CVE-2026-9742","status":"final","version":"1","initial_release_date":"2026-06-09T21:57:46.304Z","current_release_date":"2026-06-10T13:22:12.269Z","revision_history":[{"date":"2026-06-09T21:57:46.304Z","number":"1","summary":"Initial machine-readable export from HarborGuard."}]},"distribution":{"tlp":{"label":"WHITE"},"text":"Public CVE data; freely redistributable."},"notes":[{"category":"description","text":"When OIDC authentication is enabled in configuration, clients may set specific values in the \"mechanism\" parameter of the \"authenticate\" command that lead to server crash. The authenticate command is accessible to unauthenticated clients, leading to pre-auth denial-of-service in affected product configurations.","title":"CVE description"}],"references":[{"category":"self","summary":"CVE-2026-9742 on HarborGuard Database","url":"https://database.harborguard.co/cve/CVE-2026-9742"},{"category":"external","summary":"CVE Record","url":"https://www.cve.org/CVERecord?id=CVE-2026-9742"},{"category":"external","summary":"jira.mongodb.org","url":"https://jira.mongodb.org/browse/SERVER-124183"}]},"product_tree":{"branches":[{"category":"vendor","name":"MongoDB","branches":[{"category":"product_name","name":"MongoDB Server","branches":[{"category":"product_version_range","name":">=8.3.0 <8.3.3","product":{"name":"MongoDB MongoDB Server >=8.3.0 <8.3.3","product_id":"CSAFPID-1","product_identification_helper":{"cpe":"cpe:2.3:a:mongodb:mongodb_server:*:*:*:*:*:*:*:*"}}},{"category":"product_version_range","name":">=8.2.0 <8.2.10","product":{"name":"MongoDB MongoDB Server >=8.2.0 <8.2.10","product_id":"CSAFPID-2","product_identification_helper":{"cpe":"cpe:2.3:a:mongodb:mongodb_server:*:*:*:*:*:*:*:*"}}}]}]}]},"vulnerabilities":[{"cve":"CVE-2026-9742","title":"Authenticate command with specific mechanism parameter can trigger server crash","notes":[{"category":"description","text":"When OIDC authentication is enabled in configuration, clients may set specific values in the \"mechanism\" parameter of the \"authenticate\" command that lead to server crash. The authenticate command is accessible to unauthenticated clients, leading to pre-auth denial-of-service in affected product configurations.","title":"CVE description"}],"product_status":{"known_affected":["CSAFPID-1","CSAFPID-2"]},"scores":[{"cvss_v4":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N","baseScore":8.2,"baseSeverity":"HIGH"},"products":["CSAFPID-1","CSAFPID-2"]}],"remediations":[{"category":"vendor_fix","details":"Update to a fixed version: 8.2.10, 8.3.3.","product_ids":["CSAFPID-1","CSAFPID-2"]}]}]}