A session expiration flaw was discovered in MongoDB. After a user is deleted, the session tokens for that user do not expire and can be reused if a new user is created with the same name. An attacker with access to a MongoDB user could exploit this flaw to gain access to the new user account.
This vulnerability can be mitigated by either of two administrative practices:
If your mongodb instance is deployed in a situation where users never need to be deleted, or one of the above mitigations can be applied, this vulnerability can not be exploited.