Create a user. use admin db.runCommand({ createUser: "repro_user", pwd: "password123", roles: [{ role: "read", db: "admin" }] })   Run updateUser (or createUser) with authenticationRestrictions.clientSource containing at least one invalid/non-address token (for example, a placeholder-like string). db.runCommand({ updateUser: "repro_user", authenticationRestrictions: [ { clientSource: [ "10.0.0.1", "NOT_AN_IP_OR_CIDR", "127.0.0.1" ] } ] })   Query admin.system.users admin> db.system.users.findOne({ user: "repro_user", db: "admin" }) {   _id: 'admin.repro_user',   userId: UUID('xxxx'),   user: 'repro_user',   db: 'admin',   credentials: {     'SCRAM-SHA-1': {       iterationCount: 10000,       salt: 'WJ96stk5PUxy18CQkYx7ig==',       storedKey: 'cPvfXp5rQjkwwvLgmcV0ZLvHXdk=',       serverKey: 'mqNbRjhT1acJWjh80C8dh9PIhgY='     },     'SCRAM-SHA-256': {       iterationCount: 15000,       salt: 'q3VhUxUDNoLAnCK+s4qr981BUdMstYMrbZ5hgQ==',       storedKey: 'VVWIZFnX9FOTtLJyHWJabJboO3b7moqel+lHOI9BchI=',       serverKey: 'vw8prAIT0+j31nkUviQLU2dwJ+I9QQ5s+mGt10K9Gxw='     }   },   roles: [ { role: 'read', db: 'admin' } ],   authenticationRestrictions: [     { clientSource: [ '10.0.0.1', 'NOT_AN_IP_OR_CIDR', '127.0.0.1' ] }   ] }   The invalid token is persisted in authenticationRestrictions.clientSource and command returns success ( ok: 1 ). Authentication to the user fails on attempt: Invalid IP address in CIDR string, full error: {'ok': 0.0, 'errmsg': 'Invalid IP address in CIDR string', 'code': 2, 'codeName': 'BadValue', '$clusterTime': {'clusterTime': Timestamp(1780413851, 1), 'signature': {'hash': b'\xxxxxyyyyyy', 'keyId': zzzzzyyyyyy}}, 'operationTime': Timestamp(1780413851, 1)} Expected behaviour: Command should fail validation ( BadValue or equivalent) when any clientSource Entry is not a valid address constraint format, and no invalid restriction values should be persisted. Actual behaviour: Command succeeds. Invalid clientSource entry is stored in system.users.