CVE-2026-6231
Validation Bypass in MongoDB C Driver BSON Processing
Publication date: 2026-04-13
Last updated on: 2026-05-06
Assigner: MongoDB, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mongodb | c_driver | to 1.30.5 (exc) |
| mongodb | c_driver | From 2.0.0 (inc) to 2.0.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-20 | The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability exists in the bson_validate function of the MongoDB C Driver. This function may return early on certain inputs and incorrectly report that the BSON data is valid. As a result, malformed or invalid UTF-8 sequences can bypass validation and be processed incorrectly.
This issue affects applications that rely on the bson_validate function to check untrusted BSON data before processing it further.
How can this vulnerability impact me? :
Because the bson_validate function may incorrectly validate malformed BSON data, applications using this function might process invalid or malicious data without proper checks.
This can lead to incorrect application behavior, potential data corruption, or security issues due to processing unexpected or malformed input.