CVE-2026-9735
MediumCVSS 5.5Exploitation Probability (EPSS)
Low risk2th percentile - higher than 2% of all known CVEs
Summary
The MongoDB server may log authentication parameters, including credentials, to the server log during SASL authentication. When connection health metric logging is enabled, the full authentication parameters are written to the log without redaction.
Risk Assessment
Logging credentials in logs can lead to unauthorized access to the system if logs are not properly secured. This poses a risk of sensitive information leakage.
Recommendation
It is recommended to disable connection health metric logging or implement log redaction mechanisms to protect authentication data from unauthorized access.
Original NVD description (English source)
MongoDB server may log authentication parameters, including credentials, to the server log during SASL authentication. When connection health metric logging is enabled, the full authentication parameters are written to the log without redaction.

