When connecting to a replicaSet using replicaSet=true, the connection pool does not pay attention to the validity of the connection and reuses invalid connections or unauthenticated connections.
Steps to reproduce:
1) Make a few valid connections to a replicaSet using the replicaSet=true connection parameter. This will fill the connection pool with valid connections.
2) Modify the password in your connection string to be invalid.
3) Attempt to connect again. Even though you have the wrong password, you can jump on an old persistent connection and still use it.
This obviously has security consequences. It is possible for an unprivileged user to access the database even if they do not have the password because they can reuse a persistent connection from the pool.
This has other negative consequences. If a connection fails for some reason, that invalid connection is still in the pool and will give errors to anyone that uses it.