PatchSiren cyber security CVE debrief
CVE-2026-8200 Mongodb CVE debrief
CVE-2026-8200 is a MongoDB Server information-disclosure issue in which a local server log message generated during a schema validation failure may not fully redact user data. The issue affects MongoDB Server v7.0 prior to 7.0.34, v8.0 prior to 8.0.23, v8.2 prior to 8.2.9, and v8.3 prior to 8.3.2. The practical concern is leakage of sensitive fields into server logs when an insert or update violates collection schema validation.
- Vendor
- Mongodb
- Product
- Unknown
- CVSS
- MEDIUM 4.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-13
- Original CVE updated
- 2026-05-18
- Advisory published
- 2026-05-13
- Advisory updated
- 2026-05-18
Who should care
MongoDB administrators, application teams that use schema validation, and operators who retain or centrally aggregate MongoDB server logs. Organizations that store sensitive data in collections with validation rules should treat this as a log-hygiene and data-exposure issue.
Technical summary
According to the NVD record, the vulnerability occurs when schema validation is enabled on a collection and an insert or update violates that schema. In that path, the locally generated server log message may not redact all user data. NVD marks the weakness as CWE-532 (Insertion of Sensitive Information into Log File). Affected versions are MongoDB Server v7.0 < 7.0.34, v8.0 < 8.0.23, v8.2 < 8.2.9, and v8.3 < 8.3.2. The published CVSS 4.0 vector is rated 4.8 (Medium).
Defensive priority
Medium. This is not a remote code execution issue, but it can expose sensitive data in logs. Prioritize it if your environment logs validation failures, centralizes logs broadly, or handles regulated or confidential data.
Recommended defensive actions
- Upgrade MongoDB Server to a fixed release: 7.0.34, 8.0.23, 8.2.9, or 8.3.2 as applicable.
- Review access controls for local and centrally aggregated MongoDB logs so only authorized personnel can read them.
- Audit existing logs for validation-failure entries that may contain unredacted user data and handle them according to your data retention and incident processes.
- If schema validation is used on sensitive collections, verify that application logging, log shipping, and alerting pipelines do not widen exposure of server logs.
- Track the vendor advisory and related issue SERVER-121895 for any follow-up guidance.
Evidence notes
The debrief is based on the supplied NVD record and the MongoDB issue-tracker reference included there. NVD states the vulnerable version ranges, the schema-validation failure condition, the potential log-redaction gap, the CVSS 4.0 score/vector, and CWE-532. The only vendor-linked reference provided in the source corpus is Jira ticket SERVER-121895, tagged as Issue Tracking and Vendor Advisory.
Official resources
-
CVE-2026-8200 CVE record
CVE.org
-
CVE-2026-8200 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Issue Tracking, Vendor Advisory
Publicly disclosed on 2026-05-13 and last modified in the supplied record on 2026-05-18.