CVE-2026-9735: MongoDB Credential Disclosure in SASL Authentication Logging
MongoDB servers can accidentally write authentication credentials to log files when connection health metric logging is enabled. During SASL authentication, the full authentication parameters—including usernames and passwords—may be recorded without being masked or redacted. An attacker with local access to the server could read these log files and obtain valid credentials, bypassing the need for network-based attacks.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 5.5 MEDIUM · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
- Weaknesses (CWE)
- CWE-532
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-06-09 / 2026-06-17
NVD description (verbatim)
MongoDB server may log authentication parameters, including credentials, to the server log during SASL authentication. When connection health metric logging is enabled, the full authentication parameters are written to the log without redaction.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-9735 is a credential disclosure vulnerability in MongoDB arising from insufficient log sanitization during SASL authentication flows. When the connection health metric logging feature is enabled, the authentication parameter logging mechanism fails to apply redaction to sensitive fields. The vulnerability is categorized under CWE-532 (Insertion of Sensitive Information into Log File). CVSS v3.1 scoring reflects local attack vector (AV:L), low complexity (AC:L), low privilege requirements (PR:L), and high confidentiality impact (C:H) with no integrity or availability consequences.
Business impact
Compromised credentials enable unauthorized database access without requiring exploitation of network-facing vulnerabilities. An insider threat or compromised local account could harvest plaintext credentials from logs, leading to lateral movement within the database tier, data exfiltration, and compliance violations. Organizations subject to HIPAA, PCI-DSS, or SOC 2 frameworks face audit findings when credentials appear in unencrypted logs. The blast radius depends on the privileges of exposed accounts and whether they are service accounts with broad permissions.
Affected systems
MongoDB server installations with connection health metric logging enabled are affected. The vulnerability applies across MongoDB versions that implement this logging feature; verify the specific version range against the official MongoDB security advisory and your deployment's logging configuration. Non-production instances and test environments may also retain logs containing credentials if this setting is globally enabled.
Exploitability
Exploitation requires local file system access to the MongoDB server logs—either through a compromised local account, SSH access, or physical proximity. The attack does not require network traversal or advanced technical capability; reading plaintext logs is trivial once local access is obtained. However, the requirement for local access (AV:L) constrains the threat to insider threats and downstream compromises of the host itself, rather than direct remote exploitation.
Remediation
Disable connection health metric logging if it is not operationally necessary. If health metrics are required, upgrade MongoDB to a patched version that redacts authentication parameters before writing to logs. Review existing log files for the presence of credentials and ensure they are rotated, encrypted, or securely deleted. Implement least-privilege access controls on log file directories and consider centralized log aggregation with parsing rules to mask credential-like patterns.
Patch guidance
Consult the MongoDB security advisory for the specific patched version addressing this issue. Patches will include updated logging serialization logic that redacts sensitive authentication fields. Test patches in non-production environments first, as changes to logging behavior may affect diagnostic workflows. Verify that log scrubbing applies to all authentication methods supported by your deployment, not just SASL.
Detection guidance
Search MongoDB server logs (typically in /var/log/mongodb/ or configured log paths) for patterns indicating unredacted SASL authentication parameters, such as plaintext credentials immediately following authentication attempt entries. Enable centralized log collection and use SIEM rules to flag logs containing suspected passwords or usernames in authentication contexts. Monitor the MongoDB process for changes to logging configuration and audit any modifications to connection health metric settings.
Why prioritize this
Although CVSS is MEDIUM (5.5), the direct exfiltration of valid credentials elevates practical risk. Organizations with strong host-level access controls and no local unprivileged users may treat this as lower priority; those with shared systems, SSH access, or documented insider threats should prioritize patching. The vulnerability is not in the CISA KEV catalog, so no active exploitation in the wild has been officially tracked as of the advisory date.
Risk score, explained
The score reflects a high confidentiality impact (credentials disclosed) balanced against the local-only attack vector. Integrity and availability are not affected, as the vulnerability is passive disclosure rather than injection or denial of service. Organizations with strong perimeter security and disciplined access controls may view this as lower risk, while those with cloud instances or multi-tenant infrastructure should weight it more heavily due to easier local compromise.
Frequently asked questions
Does this vulnerability allow remote code execution?
No. CVE-2026-9735 is a credential disclosure flaw, not a code execution vulnerability. It enables unauthorized authentication using exposed credentials, but does not directly compromise the MongoDB process or the underlying host.
Do I need to patch if I have not enabled connection health metric logging?
No, not for this specific vulnerability. However, verify your configuration explicitly—some deployments inherit default settings from templates or MongoDB Cloud deployments where logging may be enabled by default. Check your mongod configuration file and MongoDB Atlas settings.
Can credentials be rotated to limit exposure from already-logged secrets?
Yes. If you suspect logs have been accessed, rotate credentials for affected database users immediately. However, this does not remove already-written credentials from existing log files; secure deletion or archival of old logs is necessary.
How does this differ from application-level logging of secrets?
This is a database server logging flaw, not an application issue. MongoDB itself is writing credentials to logs despite security best practices. The root cause is in the MongoDB logging layer, not in client code.
This analysis is provided for informational purposes and reflects publicly available information as of the advisory date. Verify all patch versions, affected product ranges, and configuration details against the official MongoDB security advisory and your specific deployment documentation. CVSS scores and exploit status are subject to change as additional information becomes available. Consult with your organization's security and operations teams before implementing any changes to logging configurations or patching schedules. Source: NVD (public-domain), retrieved 2026-07-19. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-9751MEDIUMMongoDB LDAP Password Plaintext Logging Vulnerability
- CVE-2026-0267MEDIUMPalo Alto GlobalProtect macOS Passcode Exposure Vulnerability
- CVE-2026-41184MEDIUMCalico ServiceAccount Token Exposure in CNI Logs
- CVE-2026-41185MEDIUMCalico Azure IPAM Plaintext Credential Logging Vulnerability
- CVE-2026-45581MEDIUMHyperledger Fabric Java Chaincode TLS Password Exposure in Logs
- CVE-2026-45679MEDIUMOpenTelemetry eBPF Instrumentation Data Exfiltration via Redis Error Messages
- CVE-2026-40619HIGHGenetec Security Center Admin Credential Disclosure (Build-Based Vulnerability)
- CVE-2026-50205HIGHAcer Connect M6E 5G SMTP Password Exposure in System Logs