{"id":"CVE-2026-8200","summary":"Schema validation log messages may not redact user data","details":"When schema validation is enabled on a collection and an update or insert would violate the collection's schema, the local server log message generated may not have all user data redacted. \n\n\nThis issue impacts MongoDB Server v7.0 versions prior to 7.0.34, v8.0 versions prior to 8.0.23, v8.2 versions prior to 8.2.9 and v8.3 versions prior to 8.3.2.","aliases":["BIT-mongodb-2026-8200"],"modified":"2026-07-08T08:12:41.216164757Z","published":"2026-05-13T00:08:29.761Z","database_specific":{"cna_assigner":"mongodb","cwe_ids":["CWE-532"],"unresolved_ranges":[{"source":"AFFECTED_FIELD","extracted_events":[{"introduced":"7.0"},{"fixed":"7.0.34"},{"introduced":"8.0"},{"fixed":"8.0.23"},{"introduced":"8.2"},{"fixed":"8.2.9"},{"introduced":"8.3"},{"fixed":"8.3.2"}]}],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/8xxx/CVE-2026-8200.json"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/8xxx/CVE-2026-8200.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-8200"},{"type":"REPORT","url":"https://jira.mongodb.org/browse/SERVER-121895"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/mongodb/mongo","events":[{"introduced":"37d84072b5c5b9fd723db5fa133fb202ad2317f1"},{"fixed":"c4112034073d61ecdfc209fb769c6b08102af643"},{"introduced":"b41cda4fe697dce6fd9b83b3805362ccc02fbeb3"},{"fixed":"e1c5eb1c5d29781674274ced38871c117967302e"},{"introduced":"b993867dce63dd366cd93e60f3f425ed716f6497"},{"fixed":"551096db8ad4a951af553de51c5485d5fd91d40d"},{"introduced":"0f29b043a58fdd251ce0a0b32754b8459613c933"},{"fixed":"c531abff36f228c5ff24735ddf31a23536716ab0"}],"database_specific":{"source":"CPE_RANGE","extracted_events":[{"introduced":"7.0.0"},{"fixed":"7.0.34"},{"introduced":"8.0.0"},{"fixed":"8.0.23"},{"introduced":"8.2.0"},{"fixed":"8.2.9"},{"introduced":"8.3.0"},{"fixed":"8.3.2"}],"cpe":"cpe:2.3:a:mongodb:mongodb:*:*:*:*:*:*:*:*"}}],"versions":["r8.3.0","r8.3.1","r8.2.4-alpha1","r8.2.4-alpha0","r7.0.27-rc0","r7.0.27","r8.0.17-alpha0","r8.0.16-rc1","r8.0.16","r7.0.27-alpha0","r7.0.26-rc0","r7.0.26","r8.2.3-alpha0","r8.2.2-rc0","r8.2.2","r8.0.16-rc0","r8.0.14-rc1","r8.0.14","r7.0.24-rc0","r7.0.24","r8.2.1-rc1","r8.2.1","r8.2.1-rc0","r7.0.25-alpha0","r8.0.14-rc0","r8.2.0","r8.0.13-rc2","r8.0.13","r8.0.13-rc1","r8.0.13-rc0","r7.0.23-rc1","r7.0.23","r7.0.23-rc0","r7.0.22-rc0","r7.0.22","r8.0.12-rc0","r8.0.12","r8.0.10-rc0","r8.0.10","r7.0.21-rc0","r7.0.21","r7.0.21-alpha0","r7.0.18","r8.0.6","r7.0.17","r8.0.5-rc2","r8.0.5","r8.0.5-rc1","r8.0.5-rc0","r7.0.16-rc1","r7.0.16-rc0","r7.0.16","r8.0.4-rc0","r8.0.4","r7.0.15","r8.0.3","r8.0.2","r7.0.15-rc1","r7.0.15-rc0","r8.0.1-rc0","r8.0.1","r8.0.0","r7.0.14-rc0","r7.0.14","r7.0.13-rc1","r7.0.13","r7.0.13-rc0","r7.0.12-rc1","r7.0.12","r7.0.12-rc0","r7.0.11-rc2","r7.0.11","r7.0.11-rc1","r7.0.11-rc0","r7.0.10-rc0","r7.0.10","r7.0.9-rc1","r7.0.9","r7.0.9-rc0","r7.0.8-rc0","r7.0.8","r7.0.7-rc2","r7.0.7","r7.0.7-rc1","r7.0.7-rc0","r7.0.6-rc0","r7.0.6","r7.0.5-rc0","r7.0.5","r7.0.4-rc0","r7.0.4","r7.0.3-rc1","r7.0.3","r7.0.3-rc0","r7.0.2-rc2","r7.0.2","r7.0.2-rc1","r7.0.2-rc0","r7.0.1-rc0","r7.0.1","r7.0.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-8200.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N"}]}