Login Sign Up

CVE-2019-2386

7.1 HIGH
Authentication Bypass

📋 TL;DR

This MongoDB vulnerability allows authenticated users to maintain authorization sessions after their accounts are deleted, potentially gaining access to new accounts that reuse the same username. It affects MongoDB Server versions 3.4 prior to 3.4.22, 3.6 prior to 3.6.13, and 4.0 prior to 4.0.9.

💻 Affected Systems

Products:
  • MongoDB Server
Versions: 3.4.x < 3.4.22, 3.6.x < 3.6.13, 4.0.x < 4.0.9
Operating Systems: All platforms running MongoDB
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects deployments with user authentication enabled and user account recycling.

📦 What is this software?

Mongodb by Mongodb

View all CVEs affecting Mongodb →

Mongodb by Mongodb

View all CVEs affecting Mongodb →

Mongodb by Mongodb

View all CVEs affecting Mongodb →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker with deleted user credentials could gain unauthorized access to a new account with the same username, potentially compromising sensitive data or performing privileged operations.

🟠

Likely Case

Accidental privilege escalation when user accounts are recycled, allowing former users to access new accounts with the same name.

🟢

If Mitigated

Minimal impact if proper user management practices are followed and systems are patched.

🌐 Internet-Facing: MEDIUM - Requires authenticated access but affects internet-facing MongoDB instances with user recycling.
🏢 Internal Only: MEDIUM - Similar risk internally, though attack surface may be smaller.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Requires authenticated access and specific timing when user accounts are recycled.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.4.22, 3.6.13, 4.0.9

Vendor Advisory: https://jira.mongodb.org/browse/SERVER-38984

Restart Required: Yes

Instructions:

1. Backup MongoDB data. 2. Stop MongoDB service. 3. Upgrade to patched version. 4. Restart MongoDB service. 5. Verify version with 'mongod --version'.

🔧 Temporary Workarounds

Restart after user deletion

linux

Restart MongoDB nodes after deleting users to clear authorization sessions

sudo systemctl restart mongod
sudo service mongod restart

Avoid username recycling

all

Do not create new accounts with names of recently deleted users

🧯 If You Can't Patch

  • Implement strict user management policy prohibiting username recycling
  • Schedule regular MongoDB restarts after user maintenance operations

🔍 How to Verify

Check if Vulnerable:

Check MongoDB version: if running 3.4.x < 3.4.22, 3.6.x < 3.6.13, or 4.0.x < 4.0.9 with authentication enabled, you are vulnerable.

Check Version:

mongod --version

Verify Fix Applied:

Verify version is 3.4.22+, 3.6.13+, or 4.0.9+ and test user deletion/recreation scenarios.

📡 Detection & Monitoring

Log Indicators:

  • Multiple successful authentications from same user after account deletion
  • User creation events followed by unexpected authentication from old credentials

Network Indicators:

  • Authentication attempts with recently deleted user credentials

SIEM Query:

source="mongodb" AND (event="userDeleted" OR event="userCreated") | stats count by user

📊 Metadata

CVE ID: CVE-2019-2386
CVSS v3 Score: 7.1 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-285
Published: August 6, 2019
Last Updated: February 23, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2019-2386, you might also want to check these:

CVE-2025-65041 10.0

CVE-2025-65041 is an improper authorization vulnerability in Microsoft Partner Center that allows un...

Same vulnerability type (CWE-285)
CVE-2021-37705 10.0

CVE-2021-37705 is an authorization bypass vulnerability in OneFuzz that allows authenticated users f...

Same vulnerability type (CWE-285)
CVE-2023-33189 10.0

CVE-2023-33189 is an authorization bypass vulnerability in Pomerium identity-aware access proxy. Att...

Same vulnerability type (CWE-285)