ZeroPath at Black Hat USA 2026

MongoDB CVE-2026-9742: Quick Look at the Pre-Auth OIDC Denial-of-Service Vulnerability

A brief summary of CVE-2026-9742, a pre-authentication denial-of-service vulnerability in MongoDB's OIDC authentication handler that allows unauthenticated clients to crash the server by sending crafted mechanism parameter values.

CVE Analysis

10 min read

ZeroPath CVE Analysis
ZeroPath CVE Analysis

2026-06-09

MongoDB CVE-2026-9742: Quick Look at the Pre-Auth OIDC Denial-of-Service Vulnerability
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

An unauthenticated client can crash a MongoDB server with a single crafted authenticate command when OIDC authentication is enabled, making this a zero interaction, zero credential denial of service vulnerability. With MongoDB commanding nearly 46% of the NoSQL database market and OIDC adoption growing alongside enterprise zero trust initiatives, CVE-2026-9742 represents a meaningful risk for organizations that have embraced federated identity for their database layer.

This is notably the second OIDC related pre-authentication DoS vulnerability disclosed in MongoDB within approximately 12 months, following CVE-2025-6709 (CVSS 7.5, published June 2025). The pattern suggests systemic weaknesses in the OIDC authentication subsystem rather than isolated bugs.

Technical Information

Root Cause: CWE-1287 and Overly Permissive Input Handling

CVE-2026-9742 is classified under CWE-1287 (Improper Validation of Specified Type of Input), a child of CWE-20 (Improper Input Validation) and a peer of CWE-843 (Type Confusion). The core issue is that the MongoDB server's authenticate command does not properly validate the type of the mechanism parameter before processing it. When a client supplies a mechanism value that falls outside the expected set of valid types, the server fails to reject or gracefully handle the input, resulting in a crash.

The MongoDB Jira ticket SERVER-124183, titled "Limit scope of authenticate," provides the key insight: the internal description states that "authenticate is more generic than it needs to be." This confirms the vulnerability is not a simple missing null check or boundary condition; the fundamental design of the authenticate command accepted a broader range of mechanism parameter values than the server could safely process.

CWE-1287 has appeared in other notable vulnerabilities. CVE-2024-37032 ("Probllama"), which affected the Ollama AI platform, shared the same root weakness classification. In that case, failure to validate a digest format input allowed path traversal and arbitrary file reads. While the impact differs (data exposure versus denial of service), the underlying pattern is identical: the server assumes input conforms to an expected type but never enforces that assumption.

CVSS Vector Analysis

The CVSS v4.0 vector string CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N yields a score of 8.2 (HIGH). The v3.x score is 7.5. The key metrics break down as follows:

CVSS v4.0 MetricValueSignificance
Attack Vector (AV)NetworkExploitable remotely
Attack Complexity (AC)LowNo specialized conditions beyond OIDC being enabled
Attack Requirements (AT)PresentOIDC must be enabled in server configuration
Privileges Required (PR)NoneNo authentication needed
User Interaction (UI)NoneNo user action required
Availability Impact (VA)HighComplete server crash
Confidentiality/IntegrityNoneNo data disclosure or modification

The AT:P (Attack Requirements: Present) qualifier is the critical scope limiter. Only MongoDB deployments with OIDC authentication explicitly enabled are vulnerable. Deployments using SCRAM, X.509, or LDAP authentication without OIDC are not affected by this specific flaw. However, any deployment using OIDC for federated identity with providers such as Azure AD or Google Workspace is exposed.

Attack Flow

An attacker exploits CVE-2026-9742 through the following sequence:

  1. Connect to a target MongoDB server that has OIDC authentication enabled. The authenticate command is accessible to unauthenticated clients, so no credentials are needed to reach the vulnerable code path.

  2. Send an authenticate command with a specifically crafted value in the mechanism parameter. The exact values that trigger the crash have not been publicly disclosed, but the vulnerability description confirms that "specific values" in the mechanism parameter cause the crash.

  3. The server processes the invalid mechanism value without proper type validation. Because the authenticate handler is "more generic than it needs to be," it attempts to process the unexpected input rather than rejecting it at the validation boundary.

  4. The server crashes, becoming unavailable to all connected clients and dependent applications. Given the low attack complexity and deterministic nature of the crash (implied by the CVSS AC:L rating), the exploit can be reliably repeated to maintain a denial of service condition.

No special tools are required beyond a standard MongoDB client or any network socket capable of sending MongoDB wire protocol commands. The attack is entirely pre-authentication, meaning network access to the MongoDB port is the only prerequisite beyond the OIDC configuration requirement.

OIDC Authentication Context

MongoDB's OIDC authentication mechanism enables workload identity federation, allowing applications to authenticate to MongoDB using tokens from external identity providers. This is documented across MongoDB's driver ecosystem (Node.js, Java, .NET) and is increasingly adopted in cloud native deployments. The growing adoption of OIDC for database authentication means the pool of potentially vulnerable deployments is expanding over time, even though OIDC is not enabled by default.

Affected Systems and Versions

The Jira ticket SERVER-124183 lists "Affects Version/s: None," which may indicate the affected version range is not publicly disclosed or that the flaw exists across a broad range of MongoDB Server versions. Based on the available fix information:

Fixed Versions:

  • MongoDB Server 8.3.3 (v8.3 branch)
  • MongoDB Server 8.2.10 (v8.2 branch)

Vulnerable Configuration Requirement:

  • OIDC authentication must be enabled in the MongoDB server configuration. Deployments using only SCRAM, X.509, or LDAP authentication are not vulnerable to this specific flaw.

The fix is marked as Fully Compatible, meaning no backward compatibility concerns exist when upgrading to the patched versions. The fix was backported to both the v8.3 and v8.2 release branches.

MongoDB Atlas managed service customers should verify their cluster versions, as Atlas may receive automatic patching on a different timeline.

Vendor Security History

MongoDB's authentication subsystem has been a recurring source of security vulnerabilities in 2025 and 2026. The following table summarizes the most significant recent server vulnerabilities and their relationship to CVE-2026-9742:

CVE IDCVSSDate PublishedDescriptionRelationship
CVE-2025-67097.5June 26, 2025Pre-auth DoS in OIDC authenticationSame attack surface: OIDC pre-auth DoS
CVE-2025-14847 (MongoBleed)8.7Dec 19, 2025Unauthenticated heap memory leak via zlibUnauthenticated, network accessible; confirmed exploited in the wild
CVE-2026-256118.7Feb 10, 2026Pre-auth memory exhaustion DoSPre-auth DoS, same vulnerability class
CVE-2026-41488.7Mar 17, 2026Use after free in $lookupHigh severity server crash
CVE-2026-80538.7May 12, 2026FlatBSON time series drift DoSServer availability impact
CVE-2026-84319.4May 12, 2026Ops Manager RCE via webhookCritical severity, remote code execution

The appearance of CVE-2025-6709 and CVE-2026-9742 within approximately 12 months, both targeting the same OIDC authentication mechanism with the same attack pattern (pre-auth DoS), is particularly notable. The Jira ticket's description ("authenticate is more generic than it needs to be") suggests the fix for CVE-2026-9742 addresses a broader design issue rather than a narrow parameter check, which may explain why the prior fix for CVE-2025-6709 did not prevent this second vulnerability.

CVE-2025-14847 (MongoBleed) is especially relevant to threat context: Bitsight security researchers confirmed it was actively exploited in the wild, and Palo Alto Unit 42 published a dedicated threat brief. This confirms that MongoDB server vulnerabilities attract real threat actor attention and are weaponized in practice.

MongoDB serves as its own CVE Numbering Authority (CNA), controlling disclosure timelines for its products. The SERVER-124183 fix was developed by the Server Security team across five sprints from April to June 2026, with resolution on June 9, 2026.

References

Detect & fix
what others miss

Works with
  • GitHub
  • GitLab
  • Bitbucket
  • Azure DevOps Services
  • Jira
  • Linear
  • Slack
  • Security Compass
Security magnifying glass visualization