MongoDB OIDC Pre-Auth DoS via 'mechanism' param: CVE-2026-9742 June 2026

Authenticate command with specific mechanism parameter can trigger server crash
When OIDC authentication is enabled in configuration, clients may set specific values in the "mechanism" parameter of the "authenticate" command that lead to server crash. The authenticate command is accessible to unauthenticated clients, leading to pre-auth denial-of-service in affected product configurations.

Vulnerability Analysis

CVE-2026-9742 is exploitable with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality and integrity, and a high impact on availability.

Attack Vector:

NETWORK

Attack Complexity:

LOW

Privileges Required:

NONE

User Interaction:

NONE

Scope:

UNCHANGED

Confidentiality Impact:

NONE

Integrity Impact:

NONE

Availability Impact:

HIGH

Weakness Type

Improper Validation of Specified Type of Input

The product receives input that is expected to be of a certain type, but it does not validate or incorrectly validates that the input is actually of the expected type.

Products Associated with CVE-2026-9742

Want to know whenever a new CVE is published for MongoDB? stack.watch will email you.

MongoDB OIDC Pre-Auth DoS via 'mechanism' param
CVE-2026-9742 Published on June 9, 2026

Vulnerability Analysis

Weakness Type

Improper Validation of Specified Type of Input

Products Associated with CVE-2026-9742

Affected Versions

MongoDB OIDC Pre-Auth DoS via 'mechanism' paramCVE-2026-9742 Published on June 9, 2026

Vulnerability Analysis

Weakness Type

Improper Validation of Specified Type of Input

Products Associated with CVE-2026-9742

Affected Versions

MongoDB OIDC Pre-Auth DoS via 'mechanism' param
CVE-2026-9742 Published on June 9, 2026