Heap Buffer Overflow in MongoDB C Driver Due to Unsafe String Copying
CVE-2026-6691

8.6HIGH

Key Information:

Vendor: MongoDB
Status: Mongodb C Driver
Vendor: CVE Published:; 6 May 2026

What is CVE-2026-6691?

The MongoDB C Driver, specifically its integration with Cyrus SASL, exhibits a vulnerability due to unsafe string copying during the canonicalization of usernames. This flaw can lead to a heap buffer overflow condition if untrusted input is utilized in the username field of a MongoDB URI configured with authMechanism=GSSAPI. Exploitations of this vulnerability may occur before any authentication procedures or network traffic is initiated, exposing systems to potential compromise.

Affected Version(s)

MongoDB C Driver 2.1.0 <= 2.1.2

References

https://jira.mongodb.org/browse/CDRIVER-6134

CVSS V4

Score:

8.6

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 6, 2026
Vulnerability Reserved
Apr 20, 2026

CVE-2026-6691 Data

JSON