CVE-2026-9751
Sensitive data could be written to mongod.log
Description
The ldapQueryPassword parameter, when set through the runtime setParameter command, will log the new password to the mongod.log file in plain text.
How to fix CVE-2026-9751
To remediate CVE-2026-9751, upgrade the affected package to a fixed version below.
- Bitnami/mongodb—upgrade to 7.0.35 or later
Is CVE-2026-9751 being exploited?
No exploitation signal available. Neither CISA KEV nor a current EPSS score has been published for CVE-2026-9751.
Affected packages (1)
- Bitnami/mongodb>= 7.0.0, < 7.0.35, >= 8.0.0, < 8.0.24, >= 8.2.0, < 8.2.10, >= 8.3.0, < 8.3.3
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |