CVE-2019-2386

7.1 HIGH
Published: August 06, 2019 Modified: February 23, 2026
View on NVD

Description

After user deletion in MongoDB Server the improper invalidation of authorization sessions allows an authenticated user's session to persist and become conflated with new accounts, if those accounts reuse the names of deleted ones. This issue affects MongoDB Server v4.0 versions prior to 4.0.9; MongoDB Server v3.6 versions prior to 3.6.13 and MongoDB Server v3.4 versions prior to 3.4.22. Workaround: After deleting one or more users, restart any nodes which may have had active user authorization sessions. Refrain from creating user accounts with the same name as previously deleted accounts.

AI Explanation

Get an AI-powered plain-language explanation of this vulnerability and remediation steps.

Login to generate AI explanation

CVSS v3.x Details

0.0 Low Medium High Critical 10.0
Vector String
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H

References to Advisories, Solutions, and Tools

Patch Vendor Advisory Exploit Third Party Advisory
https://jira.mongodb.org/browse/SERVER-38984
Source: cna@mongodb.com
Vendor Advisory
https://www.talosintelligence.com/vulnerability_reports/TALOS-2019-0829
Source: cna@mongodb.com
Exploit Third Party Advisory
https://jira.mongodb.org/browse/SERVER-38984
Source: af854a3a-2127-422b-91ae-364da2661108
Vendor Advisory
https://www.talosintelligence.com/vulnerability_reports/TALOS-2019-0829
Source: af854a3a-2127-422b-91ae-364da2661108
Exploit Third Party Advisory

4 reference(s) from NVD

Quick Stats

CVSS v3 Score
7.1 / 10.0
EPSS (Exploit Probability)
0.4%
61th percentile
Exploitation Status
Not in CISA KEV

Weaknesses (CWE)

CWE-285 CWE-613

Affected Vendors

mongodb

Related CVEs

CVE-2026-4491 8.8
CVE-2026-4490 8.8
CVE-2026-29828 N/A
CVE-2026-22902 N/A
CVE-2026-22901 N/A