Plain Text Password Logging via ldapQueryPassword in MongoDB: CVE-2026-9751 June 2026

Plain Text Password Logging via ldapQueryPassword in MongoDB
CVE-2026-9751 Published on June 9, 2026

Sensitive data could be written to mongod.log
The ldapQueryPassword parameter, when set through the runtime setParameter command, will log the new password to the mongod.log file in plain text.

Vulnerability Analysis

CVE-2026-9751 can be exploited with local system access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality, with no impact on integrity and availability.

Attack Vector:

LOCAL

Attack Complexity:

LOW

Privileges Required:

LOW

User Interaction:

NONE

Scope:

UNCHANGED

Confidentiality Impact:

HIGH

Integrity Impact:

NONE

Availability Impact:

NONE

Weakness Type

Insertion of Sensitive Information into Log File

Information written to log files can be of a sensitive nature and give valuable guidance to an attacker or expose sensitive user information.

Products Associated with CVE-2026-9751

Want to know whenever a new CVE is published for MongoDB? stack.watch will email you.

Affected Versions

Version 8.3.0 and below 8.3.3 is affected.

Version 8.2.0 and below 8.2.10 is affected.

Version 8.0.0 and below 8.0.24 is affected.

Version 7.0.0 and below 7.0.35 is affected.

Plain Text Password Logging via ldapQueryPassword in MongoDBCVE-2026-9751 Published on June 9, 2026

Vulnerability Analysis

Weakness Type

Insertion of Sensitive Information into Log File

Products Associated with CVE-2026-9751

Affected Versions

Plain Text Password Logging via ldapQueryPassword in MongoDB
CVE-2026-9751 Published on June 9, 2026