MEDIUM 5.5

CVE-2026-9751: MongoDB LDAP Password Plaintext Logging Vulnerability

MongoDB has a logging issue where LDAP passwords are exposed in plain text. When an administrator uses the runtime setParameter command to configure LDAP authentication (specifically the ldapQueryPassword parameter), the new password is written directly to the mongod.log file instead of being masked or encrypted. Any user with local access to the server or log files can read this sensitive credential, defeating password protection. This is a configuration-time mistake rather than a network-exploitable flaw, but it creates a direct path to credential compromise.

Source data · NVD / CISA · public domain

CVSS
3.1 · 5.5 MEDIUM · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Weaknesses (CWE)
CWE-532
Affected products
1 configuration(s)
Published / Modified
2026-06-09 / 2026-06-17

NVD description (verbatim)

The ldapQueryPassword parameter, when set through the runtime setParameter command, will log the new password to the mongod.log file in plain text.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-9751 affects MongoDB's LDAP authentication setup process. The vulnerability stems from insufficient output filtering in the setParameter command handler. When ldapQueryPassword is set via the runtime configuration interface, the plaintext value is logged to mongod.log without redaction. The CVSS 3.1 vector (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) reflects local attack surface (AV:L), low complexity (AC:L), requirement for low privilege (PR:L), and high confidentiality impact (C:H). No integrity or availability impact is present. This falls under CWE-532 (Insertion of Sensitive Information into Log File).

Business impact

Compromised LDAP credentials can allow attackers to escalate privileges within your directory service, potentially granting them access to all systems that trust LDAP authentication. If an attacker gains local shell access to a MongoDB server (common in co-located or containerized deployments), they can immediately harvest the LDAP bind password from readable logs. This undermines the security of your entire authentication infrastructure. In multi-tenant environments or organizations with strict access controls, this creates an inadvertent side-channel that bypasses intended privilege boundaries.

Affected systems

MongoDB deployments using LDAP authentication are at risk if administrators have ever used the runtime setParameter command to configure ldapQueryPassword. The vulnerability affects all affected MongoDB versions that implement LDAP authentication; consult the official MongoDB security advisory for specific version ranges and patch guidance. Installations that configure LDAP only at startup (via configuration file) and never adjust it at runtime may be partially mitigated, though this depends on the specific MongoDB version.

Exploitability

Exploitation requires local or authenticated access to the MongoDB server and the ability to read log files. This is not a remote code execution or unauthenticated attack vector. However, the bar for exploitation is low once an attacker has local shell access—reading a log file requires no special privileges beyond standard file system permissions. The vulnerability does not require user interaction or complex attack chaining. In cloud or containerized environments where multiple workloads run on shared infrastructure, local access may be more accessible than in traditional data centers.

Remediation

Apply the MongoDB security patch released by the vendor. Verify the patch version against the official MongoDB security advisory. As an interim measure, restrict read access to mongod.log files using OS-level permissions so that only the MongoDB process owner and trusted administrators can view logs. Consider rotating any LDAP credentials that may have been logged and ensure your directory service audit logs reflect any suspicious authentication attempts. Review historical log files for evidence of exposed passwords if you suspect they may have been accessed.

Patch guidance

Obtain the patched MongoDB version from the official MongoDB download site or your organization's package repository. The patch addresses plaintext logging by implementing proper redaction in the setParameter command output. Testing should confirm that new LDAP password configurations no longer appear in mongod.log after patching. Verify the fix against the vendor advisory before deploying to production. Plan patching around maintenance windows if your MongoDB instances cannot tolerate brief restarts.

Detection guidance

Search mongod.log files for entries containing 'ldapQueryPassword' or 'setParameter' combined with authentication-related context. Tools like grep or centralized log aggregation platforms (ELK, Splunk, etc.) can identify instances where this command was executed. Monitor for any setParameter commands in your audit logs to catch future misconfigurations. If you discover historical occurrences, treat the exposed password as compromised and initiate credential rotation immediately. Log ingestion rules should flag any plaintext password patterns in MongoDB logs for manual review.

Why prioritize this

Although the CVSS score is medium (5.5) and the vulnerability requires local access, it directly exposes authentication credentials used to secure your directory service. The ease of exploitation once local access is gained, combined with the severity of credential exposure, warrants prompt patching. Organizations with strict network segmentation may deprioritize slightly, but those with multiple workloads on shared infrastructure or weak local access controls should treat this as high priority.

Risk score, explained

The CVSS 3.1 score of 5.5 (MEDIUM) reflects the local-only attack vector and requirement for authenticated access, preventing a higher severity rating. However, the high confidentiality impact (passwords exposed in plain text) is the dominant concern. The score does not fully capture the business risk of credential compromise, which often leads to lateral movement and privilege escalation. Organizations should consider their own risk tolerance: if LDAP credential compromise would enable significant downstream damage (e.g., access to highly sensitive systems), the business risk exceeds the CVSS score.

Frequently asked questions

If we only configure LDAP at startup via the configuration file and never use setParameter, are we vulnerable?

Your exposure is significantly reduced, though it depends on your MongoDB version and whether any administrator has ever used setParameter for LDAP tuning. Verify against the official advisory to confirm your version is unaffected. Even so, applying the patch eliminates any ambiguity and ensures the logging safeguard is in place.

Can we detect if our LDAP password was exposed before patching?

Yes. Search your mongod.log archives for setParameter commands and ldapQueryPassword entries. If found, assume the credential was exposed and initiate immediate password rotation in your directory service. Review directory service audit logs for unauthorized bind attempts or suspicious access patterns during the exposed period.

Does this vulnerability allow remote code execution or unauthorized MongoDB access?

No. This is strictly a local information disclosure vulnerability. An attacker cannot remotely extract the LDAP password, nor can they use this bug to bypass MongoDB authentication directly. However, once they obtain the LDAP password from logs, they can use it to compromise your directory service, which may indirectly grant them access to MongoDB and other systems.

What should we do with our LDAP credentials after discovering they may have been exposed?

Rotate the LDAP bind account password in your directory service immediately. Update MongoDB and any other systems that reference this credential. Review access logs in your directory service for any anomalous authentication activity. If you suspect the credential was accessed by unauthorized parties, escalate to your identity and access management team for further investigation.

This analysis is based on available vulnerability information as of the publication date. Consult the official MongoDB security advisory for authoritative patch guidance, affected version ranges, and additional details. Proof-of-concept code and detailed exploitation techniques are intentionally omitted. Organizations should validate all remediation steps in non-production environments before deploying to critical systems. SEC.co makes no warranty regarding the completeness or accuracy of this information and assumes no liability for decisions made based on this analysis. Source: NVD (public-domain), retrieved 2026-07-19. Analysis generated by SEC.co (claude-haiku-4-5).