PatchSiren cyber security CVE debrief
CVE-2026-9751 MongoDB CVE debrief
CVE-2026-9751 is a medium-severity vulnerability in MongoDB. The ldapQueryPassword parameter, when set through the runtime setParameter command, logs the new password to the mongod.log file in plain text. This issue was published on [CVE.org](resourceLinkAnnotations:cve-org) on 2026-06-09 and has a CVSS score of 6.8.
- Vendor
- MongoDB
- Product
- MongoDB Server
- CVSS
- MEDIUM 6.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-09
- Original CVE updated
- 2026-06-12
- Advisory published
- 2026-06-09
- Advisory updated
- 2026-06-12
Who should care
Users of MongoDB versions 7.0.0 to 7.0.35, 8.0.0 to 8.0.24, 8.2.0 to 8.2.10, and 8.3.0 to 8.3.3 should be aware of this vulnerability.
Technical summary
The vulnerability is caused by the insecure logging of the ldapQueryPassword parameter. An attacker with local access and low privileges could potentially exploit this vulnerability to access sensitive information.
Defensive priority
Medium
Recommended defensive actions
- Update to a version of MongoDB that is not vulnerable: 7.0.36, 8.0.25, 8.2.11, or 8.3.4 and later.
- Review and clean up the mongod.log file to ensure that sensitive information is not stored.
- Restrict access to the mongod.log file to prevent unauthorized access.
Evidence notes
Evidence from the NVD (resourceLinkAnnotations:nvd) and MongoDB's vendor advisory (resourceLinkAnnotations:ref-4) support the details of this debrief.
Official resources
-
CVE-2026-9751 CVE record
CVE.org
-
CVE-2026-9751 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
CVE-2026-9751 was published on 2026-06-09 and modified on 2026-06-12.