The HTTP interface has a more permissive localhost exception policy than the database server.
The embedded web server that provides the HTTP interface may allow a user to connect via localhost even if users are defined on the admin database and --auth is enabled. If no users are defined in the admin database, unauthenticated access via the HTTP interface from anywhere (not just localhost) is also possible.
This is more permissive than the database server localhost exception policy.
As a work-around, follow our security best practices and disable the embedded web server.
All previous versions of the HTTP interface are affected by this issue. The HTTP interface is disabled by default from 2.6.0 and onwards.
The fix is included in the 3.0.1 production release.