{"id":"CVE-2026-6915","summary":"Flaw in the updateUser Command May Allow Unauthorized Configuration Change","details":"An authorization flaw in the user management command could allow an authenticated user to make limited changes to authentication-related data associated with another user account. This could affect how authentication is performed for the impacted account.","aliases":["BIT-mongodb-2026-6915"],"modified":"2026-07-15T21:28:11.516469Z","published":"2026-04-29T16:51:01.903Z","database_specific":{"cna_assigner":"mongodb","cwe_ids":["CWE-1284"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/6xxx/CVE-2026-6915.json","unresolved_ranges":[{"extracted_events":[{"introduced":"8.2.0"},{"fixed":"8.2.7"},{"introduced":"8.0.0"},{"fixed":"8.0.21"},{"introduced":"7.0.0"},{"fixed":"7.0.32"}],"source":"AFFECTED_FIELD"}]},"references":[{"type":"WEB","url":"https://jira.mongodb.org/browse/SERVER-119679"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/6xxx/CVE-2026-6915.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-6915"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/mongodb/mongo","events":[{"introduced":"37d84072b5c5b9fd723db5fa133fb202ad2317f1"},{"fixed":"169d1f049ccd836820e4728cf834bb1513b5e015"},{"introduced":"b41cda4fe697dce6fd9b83b3805362ccc02fbeb3"},{"fixed":"08e0c4612b855c4e73385c2ec838588f82d8a19b"},{"introduced":"b993867dce63dd366cd93e60f3f425ed716f6497"},{"fixed":"9fbea53313e85fbbf864a963ff17b0bd6dafa0be"}],"database_specific":{"cpe":"cpe:2.3:a:mongodb:mongodb:*:*:*:*:-:*:*:*","extracted_events":[{"introduced":"7.0.0"},{"fixed":"7.0.32"},{"introduced":"8.0.0"},{"fixed":"8.0.21"},{"introduced":"8.2.0"},{"fixed":"8.2.7"}],"source":"CPE_RANGE"}}],"versions":["r8.2.4-alpha1","r8.2.4-alpha0","r7.0.27-rc0","r7.0.27","r8.0.17-alpha0","r8.0.16-rc1","r8.0.16","r7.0.27-alpha0","r7.0.26-rc0","r7.0.26","r8.2.3-alpha0","r8.2.2-rc0","r8.2.2","r8.0.16-rc0","r8.0.14-rc1","r8.0.14","r7.0.24-rc0","r7.0.24","r8.2.1-rc1","r8.2.1","r8.2.1-rc0","r7.0.25-alpha0","r8.0.14-rc0","r8.2.0","r8.0.13-rc2","r8.0.13","r8.0.13-rc1","r8.0.13-rc0","r7.0.23-rc1","r7.0.23","r7.0.23-rc0","r7.0.22-rc0","r7.0.22","r8.0.12-rc0","r8.0.12","r8.0.10-rc0","r8.0.10","r7.0.21-rc0","r7.0.21","r7.0.21-alpha0","r7.0.18","r8.0.6","r7.0.17","r8.0.5-rc2","r8.0.5","r8.0.5-rc1","r8.0.5-rc0","r7.0.16-rc1","r7.0.16-rc0","r7.0.16","r8.0.4-rc0","r8.0.4","r7.0.15","r8.0.3","r8.0.2","r7.0.15-rc1","r7.0.15-rc0","r8.0.1-rc0","r8.0.1","r8.0.0","r7.0.14-rc0","r7.0.14","r7.0.13-rc1","r7.0.13","r7.0.13-rc0","r7.0.12-rc1","r7.0.12","r7.0.12-rc0","r7.0.11-rc2","r7.0.11","r7.0.11-rc1","r7.0.11-rc0","r7.0.10-rc0","r7.0.10","r7.0.9-rc1","r7.0.9","r7.0.9-rc0","r7.0.8-rc0","r7.0.8","r7.0.7-rc2","r7.0.7","r7.0.7-rc1","r7.0.7-rc0","r7.0.6-rc0","r7.0.6","r7.0.5-rc0","r7.0.5","r7.0.4-rc0","r7.0.4","r7.0.3-rc1","r7.0.3","r7.0.3-rc0","r7.0.2-rc2","r7.0.2","r7.0.2-rc1","r7.0.2-rc0","r7.0.1-rc0","r7.0.1","r7.0.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-6915.json","vanir_signatures_modified":"2026-07-15T21:28:11Z","vanir_signatures":[{"source":"https://github.com/mongodb/mongo/commit/08e0c4612b855c4e73385c2ec838588f82d8a19b","target":{"file":"src/mongo/db/mongod_main.cpp","function":"mongod_main"},"deprecated":false,"digest":{"function_hash":"164686043380698660719722351152006285402","length":2908},"id":"CVE-2026-6915-3ef5e661","signature_type":"Function","signature_version":"v1"},{"signature_version":"v1","source":"https://github.com/mongodb/mongo/commit/08e0c4612b855c4e73385c2ec838588f82d8a19b","target":{"file":"src/mongo/db/mongod_main.cpp"},"deprecated":false,"digest":{"line_hashes":["179215270457449443453579291868469199727","33556446067133974934969847839402282197","29350364556964231604783587715398600263","57726341186909301783117793920654563686","136845089925583489291724266187596164684","305634184878952065582817930778120911044","172837088109626467133187672572056083021"],"threshold":0.9},"id":"CVE-2026-6915-4f010fbc","signature_type":"Line"},{"id":"CVE-2026-6915-74d68245","signature_type":"Line","signature_version":"v1","source":"https://github.com/mongodb/mongo/commit/08e0c4612b855c4e73385c2ec838588f82d8a19b","target":{"file":"src/mongo/s/mongos_main.cpp"},"deprecated":false,"digest":{"line_hashes":["113943198681305830374459943796736910273","284155681462991298677336326783867736476","322305722881740005680917803045236736977","91774852827086589335342822882248207662","229647983256621488789011376734284527782","281813804611164678198537084954231215930","244936745804740692166401377847527106794"],"threshold":0.9}},{"source":"https://github.com/mongodb/mongo/commit/08e0c4612b855c4e73385c2ec838588f82d8a19b","target":{"file":"src/mongo/s/mongos_main.cpp","function":"mongos_main"},"deprecated":false,"digest":{"function_hash":"79148053720149972531027689719546447436","length":2005},"id":"CVE-2026-6915-8f2fa9a0","signature_type":"Function","signature_version":"v1"}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N"}]}