AuthzManagerExternalStateMongod::findOne uses AutoGetCollectionForReadCommand to get the lock and does the read. Normally, the destructor of AutoGetCollectionForReadCommand would abandon the WiredTiger snapshot due to the destructor of Global lock. However, we may enter this findOne function with AuthzLock (a Database S lock and thus a Global IS lock). So therefore the destructor would not abandon the snapshot.
In the linked BF, the first read opened a transaction and the second read just continued that transaction. If the snapshot is invalid for the second read, there is no way to set the readSource since the transaction is already active.
The fix would be to abandon the snapshot after the first read or always abandon snapshots before any findOne() so each read would be independently using its own snapshot/transaction.
If two reads have to be on the same transaction/snapshot, we definitely need a better way, especially if they are on two different collections.