MongoDB Auth Flaw: Auth'd User Can Alter Another User's Auth Data
CVE-2026-6915 Published on April 29, 2026
Flaw in the updateUser Command May Allow Unauthorized Configuration Change
An authorization flaw in the user management command could allow an authenticated user to make limited changes to authentication-related data associated with another user account. This could affect how authentication is performed for the impacted account.
Vulnerability Analysis
CVE-2026-6915 can be exploited with network access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to be low. considered to have a small impact on confidentiality and integrity and availability.
Weakness Type
Improper Validation of Specified Quantity in Input
The product receives input that is expected to specify a quantity (such as size or length), but it does not validate or incorrectly validates that the quantity has the required properties.
Products Associated with CVE-2026-6915
Want to know whenever a new CVE is published for MongoDB? stack.watch will email you.
Affected Versions
MongoDB Server:- Version 8.2.0 and below 8.2.7 is affected.
- Version 8.0.0 and below 8.0.21 is affected.
- Version 7.0.0 and below 7.0.32 is affected.