Loading...

XML

Word

Printable

JSON

Type: Bug
Resolution: Fixed
Priority: Critical - P2
Fix Version/s: 8.3.0-rc0, 8.2.7, 8.0.21, 7.0.32
Affects Version/s: 8.2.5, 7.0.30, 8.0.19
Component/s: Security
Labels:
None

Assigned Teams:

Server Security
Backwards Compatibility:
Fully Compatible
Operating System:
ALL
Backport Requested:

v8.2, v8.0, v7.0
Sprint:
Server Security 2026-02-13, Server Security 2026-02-27
CAR Domain/s:
None

Aha! Reference:
None
Tracking Level:
None
Risk Status:
None
Exec Notes:
None
Goal Name(s):
None
Goal Link:
None

A missing authorization check in the updateUser command allows any authenticated user to downgrade any other user's authentication mechanism from SCRAM-SHA-256 to SCRAM-SHA-1. This is the function that is missing that check:
https://github.com/10gen/mongo/blob/master/src/mongo/db/commands/user_management_commands_common.cpp#L219

Assignee:: Gabriel Marks
Reporter:: Thanh Nguyen
Participants:: Gabriel Marks, Githook User, Thanh Nguyen
Votes:: 0 Vote for this issue
Watchers:: 5 Start watching this issue

Created:: Feb 13 2026 03:51:54 PM UTC
Updated:: Apr 29 2026 04:49:25 PM UTC
Resolved:: Feb 23 2026 09:59:03 PM UTC