CVE-2026-6231

bson_validate may skip validation when processing certain inputs

Assigner: mongodb
Reserved: 13.04.2026 Published: 13.04.2026 Updated: 13.04.2026

The bson_validate function may return early on specific inputs and incorrectly report success. This behavior could result in skipping validation for BSON data, allowing malformed or invalid UTF-8 sequences to bypass validation and be processed incorrectly. The issue may affect applications that rely on these functions to validate untrusted BSON data before further processing. This issue affects MongoDB C Driver versions prior to 1.30.5, MongoDB C Driver version 2.0.0 and MongoDB C Driver version 2.0.1

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
CVSS Score: 5.3

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Network	Confidentiality	None	Confidentiality	None
Attack Complexity	Low	Integrity	Low	Integrity	None
Attack Requirements	None	Availability	None	Availability	None
Privileges Required	Low
User Interaction	None

CVSS 4.0

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
CVSS Score: 4.3

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	None
Privileges Required	Low	Integrity Impact	Low
User Interaction	None	Availability Impact	None

CVSS 3.1

Product Status

Vendor	MongoDB Inc.
Product	C Driver
Versions	Default: unaffected affected from 1.0 to 1.30.5 (excl.) affected from 2.0 to 2.0.2 (excl.)

Vendor

MongoDB Inc.

Product

C Driver

Versions

Default: unaffected

affected from 1.0 to 1.30.5 (excl.)
affected from 2.0 to 2.0.2 (excl.)

References

Problem Types

CWE-20 Improper input validation CWE

CVE-2026-6231 PUBLISHED

bson_validate may skip validation when processing certain inputs

Metrics

Product Status

References

Problem Types