CVE-2026-9751
Analyzed Analyzed - Analysis Complete

LDAP Password Logging in MongoDB Server

Publication date: 2026-06-09

Last updated on: 2026-06-12

Assigner: MongoDB, Inc.

Description
The ldapQueryPassword parameter, when set through the runtime setParameter command, will log the new password to the mongod.log file in plain text.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-09
Last Modified
2026-06-12
Generated
2026-06-30
AI Q&A
2026-06-10
EPSS Evaluated
2026-06-28
NVD
CVE-2026-9751
EUVD
EUVD-2026-35867

Affected Vendors & Products

Showing 4 associated CPEs
Vendor Product Version / Range
mongodb mongodb From 7.0.0 (inc) to 7.0.35 (exc)
mongodb mongodb From 8.0.0 (inc) to 8.0.24 (exc)
mongodb mongodb From 8.2.0 (inc) to 8.2.10 (exc)
mongodb mongodb From 8.3.0 (inc) to 8.3.3 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-532 The product writes sensitive information to a log file.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability involves the ldapQueryPassword parameter in MongoDB. When this parameter is set using the runtime setParameter command, the new password is logged in plain text within the mongod.log file.

Compliance Impact

The vulnerability causes the ldapQueryPassword parameter to be logged in plain text within the mongod.log file. This exposure of sensitive password information in logs can lead to unauthorized access or data breaches.

Such exposure of sensitive authentication credentials may negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of sensitive data and proper handling of authentication information to prevent unauthorized disclosure.

Impact Analysis

The impact of this vulnerability is that sensitive password information is exposed in plain text within log files. This can lead to unauthorized access if an attacker gains access to the logs, potentially compromising the security of the system.

Detection Guidance

This vulnerability can be detected by checking the mongod.log file for any instances where the ldapQueryPassword parameter is logged in plain text.

Since the issue involves the runtime setParameter command logging the password, you can search the mongod.log file for entries related to ldapQueryPassword.

  • Use a command like: grep ldapQueryPassword /path/to/mongod.log
  • Review the log entries for any plaintext passwords being recorded.
Mitigation Strategies

To mitigate this vulnerability, avoid setting the ldapQueryPassword parameter through the runtime setParameter command, as this causes the password to be logged in plain text.

Instead, configure the ldapQueryPassword parameter through secure configuration files or environment variables that do not get logged.

Additionally, review and restrict access to the mongod.log file to prevent unauthorized viewing of sensitive information.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-9751. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart