CVE-2026-9742: MongoDB OIDC Pre-Auth Denial-of-Service Vulnerability
CVE-2026-9742 is a pre-authentication denial-of-service vulnerability in MongoDB when OIDC (OpenID Connect) authentication is enabled. Unauthenticated attackers can crash the server by sending specially crafted values in the "mechanism" parameter of the authenticate command, disrupting service availability without requiring valid credentials.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.5 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
- Weaknesses (CWE)
- CWE-1287
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-06-09 / 2026-06-18
NVD description (verbatim)
When OIDC authentication is enabled in configuration, clients may set specific values in the "mechanism" parameter of the "authenticate" command that lead to server crash. The authenticate command is accessible to unauthenticated clients, leading to pre-auth denial-of-service in affected product configurations.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
This vulnerability exploits improper input validation in MongoDB's OIDC authentication handler. When OIDC is configured, the authenticate command—normally accessible before credentials are verified—accepts a "mechanism" parameter that lacks adequate sanitization. Specific parameter values trigger an unhandled exception or resource exhaustion condition that terminates the server process. The root cause maps to CWE-1287 (Improper Validation of Specified Type of Input for an API). The vulnerability requires network access but no authentication, making it trivial to trigger from any network-accessible MongoDB instance with OIDC enabled.
Business impact
Organizations running MongoDB with OIDC authentication face service disruption risk. Attackers can repeatedly crash the database server, rendering applications dependent on that instance unavailable. In multi-replica deployments, targeted attacks on primary nodes could force failover; in single-node deployments, downtime is direct. Financial impact includes lost transaction processing, interrupted user sessions, and operational overhead to restart services. Industries reliant on continuous database availability—fintech, healthcare, SaaS platforms—face elevated operational risk.
Affected systems
MongoDB is the affected product. Vulnerability exposure requires two configuration preconditions: (1) OIDC authentication must be explicitly enabled in the server configuration, and (2) the MongoDB instance must be network-accessible to potential attackers. Default MongoDB installations without OIDC are unaffected. Organizations using password, LDAP, or x.509 authentication are not vulnerable. The vulnerability is unauthenticated, so no valid user accounts are required to exploit it.
Exploitability
Exploitability is very high. The attack requires only network connectivity to a MongoDB instance; no authentication, privileged knowledge, or user interaction is necessary. The exploit is straightforward: send a malformed authenticate command with a crafted mechanism parameter. No complex attack chains or race conditions are involved. Attack tooling can be developed with minimal effort, making this attractive for network reconnaissance and opportunistic disruption campaigns. The vulnerability carries a CVSS 3.1 score of 7.5 (HIGH), reflecting the ease of exploitation and significant availability impact.
Remediation
Apply a vendor-issued security patch immediately. Consult the MongoDB advisory for specific patched version numbers and compatibility guidance. If patching cannot be deployed immediately, implement compensating controls: (1) restrict network access to MongoDB to trusted application servers only using firewall rules or network segmentation, (2) disable OIDC authentication if it is not required for your deployment, and (3) monitor authentication attempt logs for repeated crashes or abnormal authenticate command patterns. These controls reduce attack surface but do not eliminate the vulnerability—patching remains the definitive fix.
Patch guidance
Contact MongoDB or consult their official security advisory for the specific patched version addressing CVE-2026-9742. Test patches in a staging environment that mirrors production configuration, including OIDC setup, before production deployment. Verify that OIDC authentication continues to function correctly post-patch and that no service interruptions occur during updates. If your deployment uses MongoDB Ops Manager or Atlas, confirm vendor-provided guidance on automatic patching timelines or required administrative actions.
Detection guidance
Monitor MongoDB logs for repeated crashes or unexpected process terminations correlated with authentication attempts, particularly from external or unexpected IP addresses. Deploy network intrusion detection rules to flag suspicious authenticate commands with unusual mechanism parameter values sent to port 27017 or custom MongoDB ports. Implement alerting on MongoDB server restart events, especially multiple restarts within a short timeframe, which may indicate exploitation attempts. Review firewall and proxy logs for patterns of repeated connection attempts to MongoDB ports from single sources—a signature of DoS scanning.
Why prioritize this
Prioritize this vulnerability as HIGH-URGENCY for any MongoDB deployment with OIDC enabled and network exposure. The combination of unauthenticated access, trivial exploitation, and direct availability impact creates acute operational risk. Even organizations with robust disaster recovery may face brief outages and operational response costs. Prioritize patching over other medium-severity vulnerabilities; if immediate patching is infeasible, implement network segmentation as an interim mitigation within days, not weeks.
Risk score, explained
The CVSS 3.1 score of 7.5 (HIGH) reflects: (1) Network-accessible attack vector (AV:N) with no authentication required (PR:N), (2) Low attack complexity (AC:L) requiring no special conditions, (3) High availability impact (A:H) from direct server crash, and (4) no confidentiality or integrity impact (C:N, I:N). The score appropriately captures the operational severity without inflating severity due to lack of data exposure. The practical risk is amplified in environments where OIDC is enabled and internet-facing—common in cloud and hybrid deployments—making this a strong candidate for immediate remediation despite the numerical score.
Frequently asked questions
Does this vulnerability affect MongoDB without OIDC authentication?
No. The vulnerability is specific to MongoDB instances with OIDC authentication explicitly enabled in the server configuration. Deployments using password, LDAP, x.509, or other authentication methods are not vulnerable. If OIDC is not required for your use case, disabling it eliminates the risk.
Can the attacker gain data access or modify records using this vulnerability?
No. This is a pure denial-of-service vulnerability affecting availability only. The CVSS vector reflects no confidentiality (C:N) or integrity (I:N) impact. Attackers cannot read data, modify records, or escalate privileges through this flaw. The impact is limited to crashing the server process.
What is the difference between a pre-authentication and post-authentication denial-of-service vulnerability?
Pre-authentication means the attacker does not need valid MongoDB credentials to trigger the crash. Post-authentication would require a valid user account. Pre-auth is more severe because any network-accessible instance is immediately at risk, whereas post-auth vulnerabilities affect only environments where insider threats or compromised accounts are a concern. This vulnerability is pre-auth.
If I have network segmentation restricting MongoDB access, am I still at risk?
If MongoDB is only accessible from trusted internal application servers and not exposed to untrusted networks, the practical attack surface is significantly reduced. Network segmentation is an effective interim mitigation but does not eliminate the vulnerability itself. A disgruntled or compromised internal user could still trigger the crash. Patching remains necessary for complete remediation.
This analysis is provided for informational purposes and reflects publicly available vulnerability data as of the publication date. Organizations must verify patch availability and compatibility with their specific MongoDB versions and deployments against official vendor advisories. The vulnerability may be subject to additional research or clarification as details emerge. Network segmentation and monitoring recommendations are interim mitigations and do not substitute for official patches. Consult with MongoDB support or your security vendor for deployment-specific guidance. Source: NVD (public-domain), retrieved 2026-07-19. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-9753HIGHMongoDB Out-of-Bounds Memory Access in Aggregation Pipeline
- CVE-2026-11460HIGHBoost Serialization Remote Input Validation Flaw – No Patch Available
- CVE-2026-49941HIGHNet::CIDR::Set Infinite Recursion Denial of Service
- CVE-2024-6858MEDIUMArista EOS 802.1X Multi-Auth Bypass via Fallback VLAN EAPOL Device
- CVE-2026-47675MEDIUMHono Cookie Injection Vulnerability in sameSite and priority Parameters
- CVE-2026-9740HIGHMongoDB BSON Validation Denial of Service (Unauthenticated)
- CVE-2026-9735MEDIUMMongoDB Credential Disclosure in SASL Authentication Logging
- CVE-2026-9741MEDIUMMongoDB Queryable Encryption & CSFLE Plaintext Field Leak in Vector Search