Plain Text Password Logging in MongoDB
CVE-2026-9751
6.8MEDIUM
What is CVE-2026-9751?
A security vulnerability in MongoDB allows the ldapQueryPassword parameter to log new passwords in plain text to the mongod.log file when set through the runtime setParameter command. This exposure poses a significant risk to the confidentiality of credentials, as unauthorized users with access to the log files can retrieve sensitive information, potentially leading to further unauthorized access or exploitation. It is imperative for users to review access controls and secure log file storage to mitigate these risks.
Affected Version(s)
MongoDB Server 8.3.0 < 8.3.3
MongoDB Server 8.2.0 < 8.2.10
MongoDB Server 8.0.0 < 8.0.24