BIT-MONGODB-2026-9751 Sensitive data could be written to mongod.log

The ldapQueryPassword parameter, when set through the runtime setParameter command, will log the new password to the mongod.log file in plain text...

Linux Distros Unpatched Vulnerability : CVE-2026-9748

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - The $internalConvertBucketIndexStats stage used PauseExecution as a way to signal skip this document when an index stats conversion failed. But PauseExecution i...

Linux Distros Unpatched Vulnerability : CVE-2026-9751

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - The ldapQueryPassword parameter, when set through the runtime setParameter command, will log the new password to the mongod.log file in plain text. CVE-2026-975...

CVE-2026-9751

The ldapQueryPassword parameter, when set through the runtime setParameter command, will log the new password to the mongod.log file in plain text...

CVE-2026-9748

The $internalConvertBucketIndexStats stage used PauseExecution as a way to signal "skip this document" when an index stats conversion failed. But PauseExecution is not a general purpose skip mechanism, but rather a TeeBuffer-internal signal used solely by $facet to coordinate its sub-pipelines...

EUVD-2026-35867

The ldapQueryPassword parameter, when set through the runtime setParameter command, will log the new password to the mongod.log file in plain text...

EUVD-2026-35864

The $internalConvertBucketIndexStats stage used PauseExecution as a way to signal "skip this document" when an index stats conversion failed. But PauseExecution is not a general purpose skip mechanism, but rather a TeeBuffer-internal signal used solely by $facet to coordinate its sub-pipelines...

CVE-2026-9748

The $internalConvertBucketIndexStats stage used PauseExecution as a way to signal "skip this document" when an index stats conversion failed. But PauseExecution is not a general purpose skip mechanism, but rather a TeeBuffer-internal signal used solely by $facet to coordinate its sub-pipelines...

CVE-2026-9751

The ldapQueryPassword parameter, when set through the runtime setParameter command, will log the new password to the mongod.log file in plain text...

CVE-2026-9740

A vulnerability in MongoDB Server's BSON validation logic allows an unauthenticated user to crash the mongod process by sending a specially crafted message. The BSON validator's handling of certain nested binary data structures permits uncontrolled mutual recursion between validation functions,...

UBUNTU-CVE-2026-9748

The $internalConvertBucketIndexStats stage used PauseExecution as a way to signal "skip this document" when an index stats conversion failed. But PauseExecution is not a general purpose skip mechanism, but rather a TeeBuffer-internal signal used solely by $facet to coordinate its sub-pipelines...

UBUNTU-CVE-2026-9751

The ldapQueryPassword parameter, when set through the runtime setParameter command, will log the new password to the mongod.log file in plain text...

Unbounded recursion in BSONColumn interleaved-reference causes pre-auth stack overflow

A vulnerability in MongoDB Server's BSON validation logic allows an unauthenticated user to crash the mongod process by sending a specially crafted message. The BSON validator's handling of certain nested binary data structures permits uncontrolled mutual recursion between validation functions,...

CVE-2026-9751 Sensitive data could be written to mongod.log

The ldapQueryPassword parameter, when set through the runtime setParameter command, will log the new password to the mongod.log file in plain text...

CVE-2026-9751

The vulnerability CVE-2026-9751 affects MongoDB’s mongod process: when ldapQueryPassword is set via the runtime setParameter command, the new password is logged in plain text to mongod.log. The issue is caused by logging sensitive parameter data, leading to potential exposure of credentials on th...

Sensitive data could be written to mongod.log

The ldapQueryPassword parameter, when set through the runtime setParameter command, will log the new password to the mongod.log file in plain text...

CVE-2026-9748 $_internalConvertBucketIndexStats may crash the mongod server when working on no timeseries input

The $internalConvertBucketIndexStats stage used PauseExecution as a way to signal "skip this document" when an index stats conversion failed. But PauseExecution is not a general purpose skip mechanism, but rather a TeeBuffer-internal signal used solely by $facet to coordinate its sub-pipelines...

CVE-2026-9748

The CVE-2026-9748 issue affects MongoDB’s mongod when the $_internalConvertBucketIndexStats stage is used before $facet. It treats PauseExecution as an internal TeeBuffer signal rather than a general skip, causing an invariant assertion and a crash when processing no timeseries input. The descrip...

CVE-2026-9748 $_internalConvertBucketIndexStats may crash the mongod server when working on no timeseries input

The $internalConvertBucketIndexStats stage used PauseExecution as a way to signal "skip this document" when an index stats conversion failed. But PauseExecution is not a general purpose skip mechanism, but rather a TeeBuffer-internal signal used solely by $facet to coordinate its sub-pipelines...

PT-2026-48301

Name of the Vulnerable Software and Affected Versions MongoDB affected versions not specified Description The ldapQueryPassword parameter, when configured using the runtime setParameter command, causes the new password to be recorded in plain text within the mongod.log file. Recommendations At th...