-
Type:
Bug
-
Resolution: Unresolved
-
Priority:
Major - P3
-
None
-
Affects Version/s: 8.2.11
-
Component/s: None
-
None
-
Server Security
-
ALL
-
-
Server Security 2026-07-03
-
None
-
None
-
None
-
None
-
None
-
None
-
None
Hi,
Based on the document in https://www.mongodb.com/docs/manual/core/csfle/reference/encryption-schemas/#mongodb-autoencryptkeyword-autoencryptkeyword.encrypt.bsonType, when the encrypt.algorithm is AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic, the bsonType field is required. However, I found that when this field is missed, the data can also be accepted.
Furthermore, when this field is NULL, the data can also be accepted, which is not supported based on the document.
This is an example:
const dbName = "test"; const auditDb = db.getSiblingDB(dbName); function resetDb() { constres=auditDb.dropDatabase(); if (!res.ok) { thrownewError("dropDatabase failed: "+tojson(res)); } } function tryCreate(collName, schema) { returnauditDb.runCommand({ create:collName, validator: \{$jsonSchema:schema}, }); } resetDb(); const deterministicMissingBsonType = { properties: { secret: { encrypt: { algorithm:"AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic", keyId: [UUID()] } } } }; const encryptNullBsonType = { properties: { secret: { encrypt: { algorithm:"AEAD_AES_256_CBC_HMAC_SHA_512-Random", bsonType:"null", keyId: [UUID()] } } } }; const results = { deterministicMissingBsonType:tryCreate("missing_bson_type", deterministicMissingBsonType), encryptNullBsonType:tryCreate("null_bson_type", encryptNullBsonType), }; printjson(results);
This is the output:
{
deterministicMissingBsonType: {
ok: 1
},
encryptNullBsonType: {
ok: 1
}
}