CVE-2026-9735: MongoDB Information Disclosure Vulnerability

CVE-2026-9735 Overview

CVE-2026-9735 is an information disclosure vulnerability in MongoDB server. The server writes full Simple Authentication and Security Layer (SASL) authentication parameters, including credentials, to the server log when connection health metric logging is enabled. The authentication payload is recorded without redaction, exposing sensitive material to anyone with access to log files. The issue is tracked upstream as MongoDB ticket SERVER-126506 and is classified as [CWE-532] Insertion of Sensitive Information into Log File.

Critical Impact

Authentication credentials submitted through SASL flows are persisted in plaintext within MongoDB server logs, enabling credential theft by any local actor with log read access.

Affected Products

• MongoDB Server (versions with connection health metric logging enabled)
• Deployments using SASL-based authentication mechanisms
• Environments forwarding MongoDB logs to centralized logging systems

Discovery Timeline

• 2026-06-09 - CVE-2026-9735 published to the National Vulnerability Database (NVD)
• 2026-06-10 - Last updated in NVD database

Technical Details for CVE-2026-9735

Vulnerability Analysis

MongoDB supports SASL for client authentication, covering mechanisms such as SCRAM-SHA-1, SCRAM-SHA-256, and PLAIN. During authentication, clients send authentication parameters to the server in structured payloads. When the server has connection health metric logging enabled, it writes diagnostic information about each connection to the server log.

The defect lies in the logging path for connection health metrics. The server emits the full authentication parameter set into log records without applying redaction to credential fields. As a result, sensitive material that should remain confined to the authentication state machine is persisted to disk and to any downstream log aggregation pipeline.

Exploitation does not require network access or unauthenticated interaction. An attacker who can read the MongoDB log files, including local users, backup operators, or operators of log shippers, can recover credentials submitted by legitimate clients. The Exploit Prediction Scoring System (EPSS) data indicates a low probability of in-the-wild exploitation at publication, but the impact on credential confidentiality is direct.

Root Cause

The root cause is improper output sanitization in the connection health metric logging routine. Authentication parameter structures are serialized into log entries as-is, without applying the credential redaction filter that protects other server log paths. This is a classic [CWE-532] pattern in which a diagnostic feature inherits authentication-sensitive data from the calling context.

Attack Vector

The attack vector is local. An adversary with read access to MongoDB server log files, log archives, or downstream Security Information and Event Management (SIEM) indices recovers SASL credentials by parsing logged authentication events. The attacker then replays the credentials against the MongoDB instance or any system where the user reuses them.

No verified exploit code is published. The vulnerability manifests as plaintext credential strings inside log records produced during SASL handshakes when health metric logging is active. See the MongoDB Issue SERVER-126506 for upstream technical details.

Detection Methods for CVE-2026-9735

Indicators of Compromise

• Server log entries containing SASL authentication payload fields alongside connection health metric records.
• Plaintext occurrences of saslStart, saslContinue, or PLAIN mechanism payloads inside MongoDB log files.
• Unexpected access to MongoDB log directories or log archives by accounts outside the database administration group.

Detection Strategies

• Scan MongoDB log files for credential-bearing patterns associated with SASL frames and flag any record produced by the connection health metric logger.
• Audit log shipping configurations to identify pipelines that forward MongoDB logs into shared SIEM or storage tiers with broader access than the database tier.
• Correlate read access events on MongoDB log paths with user activity to identify operators or services reading logs without an operational need.

Monitoring Recommendations

• Enable file integrity and access monitoring on the MongoDB log directory and any rotated archives.
• Monitor for configuration changes that enable connection health metric logging on production clusters.
• Alert on anomalous queries to log indices in centralized logging platforms that search for credential keywords.

How to Mitigate CVE-2026-9735

Immediate Actions Required

• Disable connection health metric logging on MongoDB instances until a patched build is deployed.
• Rotate credentials for any account that authenticated to an affected instance while the logging feature was active.
• Restrict read access to MongoDB log files and archives to the minimum set of administrative accounts.
• Purge or re-secure historical log archives that may contain captured SASL parameters.

Patch Information

MongoDB tracks the fix under SERVER-126506. Apply the MongoDB server release that contains the redaction fix for connection health metric logging once it is available for the supported branch in use. Until the patch is applied, treat logs from affected versions as credential-bearing material.

Workarounds

• Set the MongoDB log verbosity for the relevant component to a level that suppresses connection health metric output.
• Route logs to storage with access controls equivalent to the credential store, and encrypt log volumes at rest.
• Replace PLAIN SASL usage with SCRAM-SHA-256 to reduce the value of any residual logged material, recognizing that challenge data may still expose sensitive parameters.

# Configuration example: disable connection health metric logging in mongod.conf
setParameter:
  enableConnectionHealthMetrics: false

# Restrict log directory permissions
chown -R mongod:mongod /var/log/mongodb
chmod 750 /var/log/mongodb
chmod 640 /var/log/mongodb/*.log