Primary

Context

MongoDB Authorization Flaw in User Management Command Allowing Authentication Mechanism Downgrade

Vulnerability

Patched

A missing authorization check in the user management command in MongoDB allows authenticated users to make limited changes to authentication-related data of other users. Specifically, it enables a user to downgrade another user's authentication method from SCRAM-SHA-256 to SCRAM-SHA-1. This vulnerability affects MongoDB versions 8.2.5, 7.0.30, and 8.0.19.

Impact

Exploitation of this vulnerability allows for unauthorized modification of user authentication mechanisms, potentially weakening the security of the affected user accounts.

Reproduction

To reproduce this vulnerability, an authenticated user can issue a command to update another user's authentication mechanism without the necessary authorization check. This can be done by downgrading the authentication from SCRAM-SHA-256 to SCRAM-SHA-1.

Remediation

Users can upgrade to MongoDB versions 8.3.0-rc0, 8.2.7, 8.0.21, or 7.0.32 to address this vulnerability.

Added: Apr 29, 2026, 5:21 PM

Updated: Apr 29, 2026, 5:21 PM

Vulnerability Rating

Custom Algorithm

spread

6.8

impact

0.6

exploitability

6.2

remediation

7.7

relevance

7.0

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

6.8

impact

0.6

exploitability

6.2

remediation

7.7

relevance

7.0

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

MongoDB Authorization Flaw in User Management Command Allowing Authentication Mechanism Downgrade

Vulnerability

Impact

Reproduction

Remediation

Affected Products

MongoDB

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating