Plain Text Password Logging in MongoDB
CVE-2026-9751

6.8MEDIUM

Key Information:

Vendor

Mongodb

Vendor
CVE Published:
9 June 2026

What is CVE-2026-9751?

A security vulnerability in MongoDB allows the ldapQueryPassword parameter to log new passwords in plain text to the mongod.log file when set through the runtime setParameter command. This exposure poses a significant risk to the confidentiality of credentials, as unauthorized users with access to the log files can retrieve sensitive information, potentially leading to further unauthorized access or exploitation. It is imperative for users to review access controls and secure log file storage to mitigate these risks.

Affected Version(s)

MongoDB Server 8.3.0 < 8.3.3

MongoDB Server 8.2.0 < 8.2.10

MongoDB Server 8.0.0 < 8.0.24

References

CVSS V4

Score:
6.8
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
None
Attack Vector:
Local
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.