Introduction
An unauthenticated client can crash a MongoDB server with a single crafted authenticate command when OIDC authentication is enabled, making this a zero interaction, zero credential denial of service vulnerability. With MongoDB commanding nearly 46% of the NoSQL database market and OIDC adoption growing alongside enterprise zero trust initiatives, CVE-2026-9742 represents a meaningful risk for organizations that have embraced federated identity for their database layer.
This is notably the second OIDC related pre-authentication DoS vulnerability disclosed in MongoDB within approximately 12 months, following CVE-2025-6709 (CVSS 7.5, published June 2025). The pattern suggests systemic weaknesses in the OIDC authentication subsystem rather than isolated bugs.
Technical Information
Root Cause: CWE-1287 and Overly Permissive Input Handling
CVE-2026-9742 is classified under CWE-1287 (Improper Validation of Specified Type of Input), a child of CWE-20 (Improper Input Validation) and a peer of CWE-843 (Type Confusion). The core issue is that the MongoDB server's authenticate command does not properly validate the type of the mechanism parameter before processing it. When a client supplies a mechanism value that falls outside the expected set of valid types, the server fails to reject or gracefully handle the input, resulting in a crash.
The MongoDB Jira ticket SERVER-124183, titled "Limit scope of authenticate," provides the key insight: the internal description states that "authenticate is more generic than it needs to be." This confirms the vulnerability is not a simple missing null check or boundary condition; the fundamental design of the authenticate command accepted a broader range of mechanism parameter values than the server could safely process.
CWE-1287 has appeared in other notable vulnerabilities. CVE-2024-37032 ("Probllama"), which affected the Ollama AI platform, shared the same root weakness classification. In that case, failure to validate a digest format input allowed path traversal and arbitrary file reads. While the impact differs (data exposure versus denial of service), the underlying pattern is identical: the server assumes input conforms to an expected type but never enforces that assumption.
CVSS Vector Analysis
The CVSS v4.0 vector string CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N yields a score of 8.2 (HIGH). The v3.x score is 7.5. The key metrics break down as follows:
| CVSS v4.0 Metric | Value | Significance |
|---|---|---|
| Attack Vector (AV) | Network | Exploitable remotely |
| Attack Complexity (AC) | Low | No specialized conditions beyond OIDC being enabled |
| Attack Requirements (AT) | Present | OIDC must be enabled in server configuration |
| Privileges Required (PR) | None | No authentication needed |
| User Interaction (UI) | None | No user action required |
| Availability Impact (VA) | High | Complete server crash |
| Confidentiality/Integrity | None | No data disclosure or modification |
The AT:P (Attack Requirements: Present) qualifier is the critical scope limiter. Only MongoDB deployments with OIDC authentication explicitly enabled are vulnerable. Deployments using SCRAM, X.509, or LDAP authentication without OIDC are not affected by this specific flaw. However, any deployment using OIDC for federated identity with providers such as Azure AD or Google Workspace is exposed.
Attack Flow
An attacker exploits CVE-2026-9742 through the following sequence:
-
Connect to a target MongoDB server that has OIDC authentication enabled. The
authenticatecommand is accessible to unauthenticated clients, so no credentials are needed to reach the vulnerable code path. -
Send an
authenticatecommand with a specifically crafted value in themechanismparameter. The exact values that trigger the crash have not been publicly disclosed, but the vulnerability description confirms that "specific values" in the mechanism parameter cause the crash. -
The server processes the invalid mechanism value without proper type validation. Because the authenticate handler is "more generic than it needs to be," it attempts to process the unexpected input rather than rejecting it at the validation boundary.
-
The server crashes, becoming unavailable to all connected clients and dependent applications. Given the low attack complexity and deterministic nature of the crash (implied by the CVSS AC:L rating), the exploit can be reliably repeated to maintain a denial of service condition.
No special tools are required beyond a standard MongoDB client or any network socket capable of sending MongoDB wire protocol commands. The attack is entirely pre-authentication, meaning network access to the MongoDB port is the only prerequisite beyond the OIDC configuration requirement.
OIDC Authentication Context
MongoDB's OIDC authentication mechanism enables workload identity federation, allowing applications to authenticate to MongoDB using tokens from external identity providers. This is documented across MongoDB's driver ecosystem (Node.js, Java, .NET) and is increasingly adopted in cloud native deployments. The growing adoption of OIDC for database authentication means the pool of potentially vulnerable deployments is expanding over time, even though OIDC is not enabled by default.
Affected Systems and Versions
The Jira ticket SERVER-124183 lists "Affects Version/s: None," which may indicate the affected version range is not publicly disclosed or that the flaw exists across a broad range of MongoDB Server versions. Based on the available fix information:
Fixed Versions:
- MongoDB Server 8.3.3 (v8.3 branch)
- MongoDB Server 8.2.10 (v8.2 branch)
Vulnerable Configuration Requirement:
- OIDC authentication must be enabled in the MongoDB server configuration. Deployments using only SCRAM, X.509, or LDAP authentication are not vulnerable to this specific flaw.
The fix is marked as Fully Compatible, meaning no backward compatibility concerns exist when upgrading to the patched versions. The fix was backported to both the v8.3 and v8.2 release branches.
MongoDB Atlas managed service customers should verify their cluster versions, as Atlas may receive automatic patching on a different timeline.
Vendor Security History
MongoDB's authentication subsystem has been a recurring source of security vulnerabilities in 2025 and 2026. The following table summarizes the most significant recent server vulnerabilities and their relationship to CVE-2026-9742:
| CVE ID | CVSS | Date Published | Description | Relationship |
|---|---|---|---|---|
| CVE-2025-6709 | 7.5 | June 26, 2025 | Pre-auth DoS in OIDC authentication | Same attack surface: OIDC pre-auth DoS |
| CVE-2025-14847 (MongoBleed) | 8.7 | Dec 19, 2025 | Unauthenticated heap memory leak via zlib | Unauthenticated, network accessible; confirmed exploited in the wild |
| CVE-2026-25611 | 8.7 | Feb 10, 2026 | Pre-auth memory exhaustion DoS | Pre-auth DoS, same vulnerability class |
| CVE-2026-4148 | 8.7 | Mar 17, 2026 | Use after free in $lookup | High severity server crash |
| CVE-2026-8053 | 8.7 | May 12, 2026 | FlatBSON time series drift DoS | Server availability impact |
| CVE-2026-8431 | 9.4 | May 12, 2026 | Ops Manager RCE via webhook | Critical severity, remote code execution |
The appearance of CVE-2025-6709 and CVE-2026-9742 within approximately 12 months, both targeting the same OIDC authentication mechanism with the same attack pattern (pre-auth DoS), is particularly notable. The Jira ticket's description ("authenticate is more generic than it needs to be") suggests the fix for CVE-2026-9742 addresses a broader design issue rather than a narrow parameter check, which may explain why the prior fix for CVE-2025-6709 did not prevent this second vulnerability.
CVE-2025-14847 (MongoBleed) is especially relevant to threat context: Bitsight security researchers confirmed it was actively exploited in the wild, and Palo Alto Unit 42 published a dedicated threat brief. This confirms that MongoDB server vulnerabilities attract real threat actor attention and are weaponized in practice.
MongoDB serves as its own CVE Numbering Authority (CNA), controlling disclosure timelines for its products. The SERVER-124183 fix was developed by the Server Security team across five sprints from April to June 2026, with resolution on June 9, 2026.
References
- NVD Entry for CVE-2026-9742
- MongoDB Jira: SERVER-124183 "Limit scope of authenticate"
- CWE-1287: Improper Validation of Specified Type of Input
- MongoDB Alerts Page
- Red Hat Security Advisory RHSA-2026:9742
- MongoDB OIDC Authentication Mechanism Documentation (Node.js)
- MongoDB OIDC Authentication Mechanism Documentation (Java)
- NVD Entry for CVE-2025-14847 (MongoBleed)
- Bitsight: CVE-2025-14847 MongoDB MongoBleed
- Palo Alto Unit 42: Threat Brief on CVE-2025-14847
- SentinelOne: CVE-2026-25611 MongoDB Server DOS Vulnerability
- CISA Known Exploited Vulnerabilities Catalog
- MongoDB CVEs on OpenCVE
- MongoDB Market Share in NoSQL Databases (6sense)
- MongoDB Q1 FY2027 Financial Results



