CVE-2026-9742

HIGH

Authenticate command with specific mechanism parameter can trigger server crash

Title source: cna

Description

When OIDC authentication is enabled in configuration, clients may set specific values in the "mechanism" parameter of the "authenticate" command that lead to server crash. The authenticate command is accessible to unauthenticated clients, leading to pre-auth denial-of-service in affected product configurations.

References (1)

Core 1

Core References

https://jira.mongodb.org/browse/SERVER-124183

Scores

CVSS v3 7.5

EPSS 0.0037

EPSS Percentile 28.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-1287

Status published

Products (2)

MongoDB/MongoDB Server 8.2.0 - 8.2.10

MongoDB/MongoDB Server 8.3.0 - 8.3.3

Published Jun 09, 2026

Tracked Since Jun 10, 2026