CVE-2026-6231

EUVD-2026-22023

13.04.2026, 16:16

The bson_validate function may return early on specific inputs and incorrectly report success. This behavior could result in skipping validation for BSON data, allowing malformed or invalid UTF-8 sequences to bypass validation and be processed incorrectly. The issue may affect applications that rely on these functions to validate untrusted BSON data before further processing. This issue affects MongoDB C Driver versions prior to 1.30.5, MongoDB C Driver version 2.0.0 and MongoDB C Driver version 2.0.1

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
mongodb	CNA	4.3 MEDIUM	NETWORK	LOW	LOW	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Early Detection

Affected products identified ahead of NVD analysis through intelligence sources.

Vendor	Product	Version	Source
mongodb	c_driver	1.0 ≤ 𝑥 < 1.30.5	CNA
mongodb	c_driver	2.0 ≤ 𝑥 < 2.0.2	CNA

Debian Releases

Debian Product

Codename

mongo-c-driver

bookworm	vulnerable
bullseye	vulnerable
bullseye (security)	vulnerable
forky	2.2.3-1 fixed
sid	2.2.4-1 fixed
trixie	vulnerable

Common Weakness Enumeration

CWE-20 - Improper Input Validation
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

References

https://jira.mongodb.org/browse/CDRIVER-6017