Detections
Analytics
MongoDB 8.2.x < 8.2.10 / 8.3.x < 8.3.3 Multiple Vulnerabilities
high Nessus Plugin ID 320795
Synopsis
The remote host is missing a security update.Description
The version of MongoDB installed on the remote host is 8.2.x prior to 8.2.10, or 8.3.x prior to 8.3.3. It is, therefore, affected by multiple vulnerabilities:- When OIDC authentication is enabled in configuration, clients may set specific values in the 'mechanism' parameter of the 'authenticate' command that lead to server crash. The authenticate command is accessible to unauthenticated clients, leading to pre-auth denial-of-service in affected product configurations.
(CVE-2026-9742)
- An authenticated user with the read role may read limited amounts of uninitialized stack memory via specially-crafted issuances of the filemd5 command. (CVE-2026-9754)
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.
Solution
Upgrade to MongoDB version 8.2.10 or 8.3.3 or later.See Also
Plugin Details
Severity: High
ID: 320795
File Name: mongodb_server_SERVER-124183.nasl
Version: 1.1
Type: Combined
Agent: windows, macosx, unix
Family: Databases
Published: 6/12/2026
Updated: 6/12/2026
Configuration: Enable thorough checks (optional)
Supported Sensors: Nessus Agent, Nessus
Risk Information
VPR
Risk Factor: Low
Score: 3.6
CVSS v2
Risk Factor: High
Base Score: 7.8
Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C
CVSS Score Source: CVE-2026-9742
CVSS v3
Risk Factor: High
Base Score: 7.5
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVSS v4
Risk Factor: High
Base Score: 8.2
Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
Vulnerability Information
CPE: cpe:/a:mongodb:mongodb
Required KB Items: installed_sw/MongoDB
Patch Publication Date: 6/9/2026
Vulnerability Publication Date: 6/9/2026
Reference Information
CVE: CVE-2026-9742, CVE-2026-9754
IAVA: 2026-A-0590