Authenticate command with specific mechanism parameter can trigger server crash

8.2 / 10

HIGH

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Description

When OIDC authentication is enabled in configuration, clients may set specific values in the "mechanism" parameter of the "authenticate" command that lead to server crash. The authenticate command is accessible to unauthenticated clients, leading to pre-auth denial-of-service in affected product configurations.

Basic Information

ID CVE-2026-9742

Source mongodb

Published Jun 9, 2026 at 21:57

Affected Product

Vendor MongoDB

Product MongoDB Server

Version 8.3.0

Affected Versions MongoDB MongoDB Server 8.3.0
MongoDB MongoDB Server 8.2.0

CWE Classification

CWE-1287

References

jira.mongodb.org /browse/SERVER-124183

{
    "lastseen": "",
    "description": "When OIDC authentication is enabled in configuration, clients may set specific values in the \"mechanism\" parameter of the \"authenticate\" command that lead to server crash. The authenticate command is accessible to unauthenticated clients, leading to pre-auth denial-of-service in affected product configurations.",
    "published": "2026-06-09T21:57:46.304Z",
    "modified": "2026-06-09T21:57:46.304Z",
    "type": "cve",
    "title": "Authenticate command with specific mechanism parameter can trigger server crash",
    "source": "mongodb",
    "references": "https://jira.mongodb.org/browse/SERVER-124183",
    "id": "CVE-2026-9742",
    "bulletinFamily": "",
    "cwe": [
        "CWE-1287"
    ],
    "cvelist": null,
    "sourceData": "MongoDB MongoDB Server 8.3.0\nMongoDB MongoDB Server 8.2.0",
    "sourceHref": "",
    "cvss": {
        "score": 8.2,
        "severity": "HIGH",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "MongoDB Server",
    "version": "8.3.0",
    "vendor": "MongoDB",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Authenticate command with specific mechanism parameter can trigger server crash_CVE-2026-9742