CVE-2026-6915 Overview
CVE-2026-6915 is an authorization flaw in the MongoDB user management command. An authenticated user with limited privileges can make narrow modifications to authentication-related data tied to another user account. These changes can alter how authentication is performed for the impacted account, weakening account integrity guarantees.
The weakness is categorized under [CWE-1284] (Improper Validation of Specified Quantity in Input) and affects MongoDB Server. Because the flaw resides in the user management command path, exploitation requires valid credentials but no user interaction. The issue is tracked publicly under the MongoDB server ticket SERVER-119679.
Critical Impact
An authenticated attacker can alter authentication-related metadata on another user's account, potentially affecting how that account authenticates and undermining trust in identity controls.
Affected Products
- MongoDB Server (see vendor advisory SERVER-119679 for fixed versions)
- Deployments using the affected user management command paths
- Multi-tenant clusters where multiple authenticated principals share an authentication database
Discovery Timeline
- 2026-04-29 - CVE-2026-6915 published to NVD
- 2026-05-06 - Last updated in NVD database
Technical Details for CVE-2026-6915
Vulnerability Analysis
The vulnerability resides in the MongoDB user management command flow. The command path fails to enforce a complete authorization check before applying changes that target authentication-related fields of another user document. An authenticated principal with limited privileges can invoke the command and modify a narrow subset of authentication data tied to a different account.
The scope of modification is constrained, which is reflected in the limited confidentiality, integrity, and availability impact under [CWE-1284]. However, even narrow changes to authentication-related state can alter how the targeted account authenticates on subsequent logins. This breaks the expectation that only an account owner or an administrator can influence the authentication posture of an account.
Root Cause
The root cause is incomplete authorization validation in the user management command handler. The handler accepts an authenticated session and processes parameters that reference a target user. It does not fully verify whether the caller is permitted to mutate every field included in the request against the target user.
Attack Vector
The attack vector is the network-exposed MongoDB wire protocol. The attacker must hold valid credentials with low privileges (PR:L) on the cluster. No user interaction is required.
A typical exploitation sequence involves authenticating to the database, invoking the affected user management command with another user's name as the target, and supplying parameters that modify authentication-related data. The MongoDB Server issue tracker entry SERVER-119679 is the authoritative reference for affected versions and patched releases.
No public proof-of-concept exploit is available, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. The EPSS probability is 0.046%.
Detection Methods for CVE-2026-6915
Indicators of Compromise
- Audit log entries showing user management commands (for example updateUser, grantRolesToUser, or related administrative commands) issued by low-privileged principals against accounts they do not own.
- Unexpected changes to authentication metadata, credential mechanisms, or SCRAM data on user documents in the admin.system.users collection.
- Authentication anomalies on accounts whose user records were recently modified by another principal.
Detection Strategies
- Enable MongoDB auditing and filter for authCommand events targeting user management operations. Alert on cases where the acting user is not an administrator and the target user differs from the caller.
- Baseline which principals are expected to issue user management commands. Flag deviations as high-priority detections.
- Correlate user management command events with subsequent authentication failures or mechanism changes on the targeted account.
Monitoring Recommendations
- Forward MongoDB audit logs to a centralized analytics platform and retain them for at least 90 days for post-incident review.
- Monitor changes to documents in admin.system.users and trigger alerts on field-level modifications to authentication data.
- Track failed and successful authentications per user and look for sudden shifts in authentication mechanism or source IP after administrative changes.
How to Mitigate CVE-2026-6915
Immediate Actions Required
- Upgrade MongoDB Server to the patched release listed in MongoDB SERVER-119679.
- Audit the admin.system.users collection for unexpected modifications to authentication-related fields and reset credentials where tampering is suspected.
- Review role assignments and remove user management privileges from accounts that do not require them.
Patch Information
MongoDB tracks the fix under SERVER-119679. Consult the linked advisory for the exact patched versions for each supported release branch and apply the appropriate upgrade in test environments before production rollout.
Workarounds
- Restrict the userAdmin and userAdminAnyDatabase roles to a minimal set of administrative accounts and require multi-factor authentication for those accounts.
- Segment database access by tenant or application using separate authentication databases to limit the blast radius of an authorization bypass.
- Enable MongoDB auditing in advance of patching so any exploitation attempts during the upgrade window are recorded.
# Enable auditing for authentication and user management events
mongod --auditDestination file \
--auditFormat JSON \
--auditPath /var/log/mongodb/audit.json \
--auditFilter '{ atype: { $in: [ "createUser", "updateUser", "dropUser", "grantRolesToUser", "revokeRolesFromUser", "authenticate" ] } }'
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
