CVE-2026-6231

EUVD-2026-22023

13.04.2026, 16:16

The bson_validate function may return early on specific inputs and incorrectly report success. This behavior could result in skipping validation for BSON data, allowing malformed or invalid UTF-8 sequences to bypass validation and be processed incorrectly. The issue may affect applications that rely on these functions to validate untrusted BSON data before further processing. This issue affects MongoDB C Driver versions prior to 1.30.5, MongoDB C Driver version 2.0.0 and MongoDB C Driver version 2.0.1

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	4.3 MEDIUM	NETWORK	LOW	LOW	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Base Score

CVSS 3.x

EPSS Score

Percentile: 16%

Affected Products (NVD)

Vendor	Product	Version
mongodb	c_driver	𝑥 < 1.30.5
mongodb	c_driver	2.0.0 ≤ 𝑥 < 2.0.2

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

mongo-c-driver

bookworm	1.23.1-1+deb12u3 fixed
bullseye	postponed
bullseye (security)	vulnerable
forky	2.3.0-1 fixed
sid	2.3.0-1 fixed
trixie	1.30.4-1+deb13u2 fixed

Common Weakness Enumeration

CWE-20 - Improper Input Validation
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

References

https://jira.mongodb.org/browse/CDRIVER-6017