CVE-2026-9751 Overview
CVE-2026-9751 is an information disclosure vulnerability in MongoDB. When an administrator updates the ldapQueryPassword parameter at runtime through the setParameter command, the server writes the new password value to the mongod.log file in plain text. The flaw is classified under CWE-532: Insertion of Sensitive Information into Log File. Local actors with read access to the log file can recover the LDAP bind credential and use it to authenticate to the directory service.
Critical Impact
Plaintext LDAP credentials persisted in mongod.log give any user or process with log-read access the ability to compromise the directory bind account.
Affected Products
- MongoDB Server (tracked under MongoDB SERVER-123370)
- Deployments using LDAP authentication or authorization with ldapQueryPassword
- Configurations where ldapQueryPassword is updated via the runtime setParameter command
Discovery Timeline
- 2026-06-09 - CVE-2026-9751 published to NVD
- 2026-06-10 - Last updated in NVD database
Technical Details for CVE-2026-9751
Vulnerability Analysis
MongoDB exposes the ldapQueryPassword server parameter to configure the bind password used when querying an LDAP directory for authentication or authorization data. Operators may update this parameter at runtime using the db.adminCommand({ setParameter: 1, ldapQueryPassword: "<value>" }) command without restarting the server. The runtime mutation path emits an audit-style log entry that includes the new parameter value. Because MongoDB does not redact secret parameters in this code path, the credential appears verbatim in mongod.log.
The attack is local in nature. An adversary needs read access to the log file, which is commonly granted to operators, log shippers, backup processes, or SIEM forwarders. Once captured, the LDAP bind credential allows the attacker to query or modify the directory subject to the bound account's permissions.
Root Cause
The root cause is missing sensitive-parameter handling in the runtime setParameter logging code path. Parameters known to hold secrets should be masked before serialization to the log sink. Tracking and remediation details are maintained in the MongoDB Issue Tracker entry SERVER-123370.
Attack Vector
Exploitation requires local access and low privileges. A user able to read mongod.log, including through log aggregation pipelines, can extract the LDAP bind password. No user interaction is required, and the exposure persists for the lifetime of the log file and its backups. The vulnerability does not affect integrity or availability of MongoDB data directly but provides credential material that may enable lateral movement against the LDAP infrastructure.
Detection Methods for CVE-2026-9751
Indicators of Compromise
- Entries in mongod.log containing the string ldapQueryPassword accompanied by a non-redacted value
- Audit records showing setParameter commands targeting ldapQueryPassword issued against the admin database
- Access to mongod.log by accounts or processes outside the expected operator and log-forwarding set
Detection Strategies
- Search historical and current mongod.log files for occurrences of ldapQueryPassword and treat any matches with cleartext values as exposed credentials.
- Correlate MongoDB audit logs for setParameter invocations changing ldapQueryPassword against the user and source IP that issued the command.
- Add file integrity and access monitoring on mongod.log paths and on any downstream log aggregation storage that may contain copies.
Monitoring Recommendations
- Forward MongoDB logs to a centralized analytics platform and alert on the literal token ldapQueryPassword appearing in log content.
- Review SIEM ingestion pipelines and storage to determine whether prior log batches already contain the exposed value, and purge or rotate as required.
- Monitor the LDAP bind account for anomalous authentication activity, including source addresses outside the MongoDB host range.
How to Mitigate CVE-2026-9751
Immediate Actions Required
- Rotate the LDAP bind password used by ldapQueryPassword on every MongoDB node that received a runtime update of this parameter.
- Purge or restrict access to mongod.log files and archived copies that contain the cleartext value, including SIEM and backup tiers.
- Restrict the setParameter privilege to a minimal set of administrative accounts and audit recent uses against ldapQueryPassword.
Patch Information
Monitor the MongoDB Issue Tracker entry SERVER-123370 for the fixed server versions. Apply the vendor-supplied build to all replica set members and mongos routers once available, and validate that mongod.log no longer records the parameter value after a runtime change.
Workarounds
- Set ldapQueryPassword exclusively through the configuration file or the --setParameter startup option rather than at runtime, so the value is not written to the log.
- Tighten filesystem permissions on mongod.log to the mongod service account only and ensure log shippers run with read-only access via a dedicated, audited identity.
- Review and sanitize existing log archives, then enforce log retention policies that minimize the window during which exposed credentials could be retrieved.
# Configuration example: set ldapQueryPassword via config file instead of runtime setParameter
# /etc/mongod.conf
setParameter:
ldapQueryUser: "cn=mongo-bind,ou=service,dc=example,dc=com"
ldapQueryPassword: "<rotated-secret>"
# Restrict log file permissions
chown mongod:mongod /var/log/mongodb/mongod.log
chmod 600 /var/log/mongodb/mongod.log
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
