BugZero | MongoDB BugID SERVER-119679 - Missing Authorization Check in updateUser

MongoDB - Defect ID: SERVER-119679

Missing Authorization Check in updateUser

MongoDB - Defect ID: SERVER-119679

Missing Authorization Check in updateUser

Last updated on April 29th, 2026

BugZero Risk Score
7.2 High

Overall: 7.2

Severity: 8.2

Community: 3.7

Lifecycle: 9.1

What is the BugZero Risk Score?

MongoDB Integration

Learn more about where this data comes from

MongoDB Integration

Learn more

Bug Scrub Advisor

Streamline upgrades with automated vendor bug scrubs

Bug Scrub Advisor

Learn more

BugZero Enterprise

Wish you caught this bug sooner? Get proactive today.

BugZero Enterprise

Learn more

Bug Details

Priority: Critical - P2
Status: Closed
Resolution: Fixed

Description

Info

A missing authorization check in the updateUser command allows any authenticated user to downgrade any other user's authentication mechanism from SCRAM-SHA-256 to SCRAM-SHA-1. This is the function that is missing that check: https://github.com/10gen/mongo/blob/master/src/mongo/db/commands/user_management_commands_common.cpp#L219

Top User Comments

xgen-internal-githook commented on Mon, 9 Mar 2026 15:27:23 +0000: Author: {'name': 'Gabriel Marks', 'email': 'gabriel.marks@mongodb.com', 'username': 'marksg07'} Message: SERVER-119679 Add auth check for updating mechanisms of user (#48178) (#48534) GitOrigin-RevId: 3e15fa285a88b114c8e4247a1979cc9b9aabe1eb Branch: v8.2 https://github.com/mongodb/mongo/commit/0b13f3b9d2c58d829dca490f0bcc1c7fce881740 xgen-internal-githook commented on Mon, 9 Mar 2026 15:18:12 +0000: Author: {'name': 'Gabriel Marks', 'email': 'gabriel.marks@mongodb.com', 'username': 'marksg07'} Message: SERVER-119679 Add auth check for updating mechanisms of user (#48178) (#48533) GitOrigin-RevId: e337a2a9c1d016397507cdbd9d059b8884343d30 Branch: v7.0 https://github.com/mongodb/mongo/commit/5d16cbfca7a6e08aafd4fbd30311ef8543051bed xgen-internal-githook commented on Mon, 9 Mar 2026 15:14:53 +0000: Author: {'name': 'Gabriel Marks', 'email': 'gabriel.marks@mongodb.com', 'username': 'marksg07'} Message: SERVER-119679 Add auth check for updating mechanisms of user (#48178) (#48532) GitOrigin-RevId: 4b8d66e1418742ead01c7aee2ebd1cceec6cf652 Branch: v8.0 https://github.com/mongodb/mongo/commit/3640fa13735a4c432ecc97e673dc7d75997d6acb xgen-internal-githook commented on Mon, 23 Feb 2026 21:29:12 +0000: Author: {'name': 'Gabriel Marks', 'email': 'gabriel.marks@mongodb.com', 'username': 'marksg07'} Message: SERVER-119679 Add auth check for updating mechanisms of user (#48178) GitOrigin-RevId: 99af087031eaa3a0b7194233680d84047de44b5d Branch: master https://github.com/mongodb/mongo/commit/c33d95e211cde7b3a64a0910ee007daeab9958c3

Steps to Reproduce

Change history

2026-04-29 Added: 8.2.5, 7.0.30, 8.0.19

Relevant Products

Click on a version to see all relevant bugs

Affected versions:8.2.5, 7.0.30, 8.0.19

Fixed versions: 8.3.0-rc0, 8.2.7, 8.0.21, 7.0.32

Relevant Products

Click on a version to see all relevant bugs

Affected versions:8.2.5, 7.0.30, 8.0.19

Fixed versions: 8.3.0-rc0, 8.2.7, 8.0.21, 7.0.32

Top MongoDB Defects

8.8Defect ID: SERVER-122102
MongoDB config server will crash in a cluster which is upgrade from 6.0 version
7.2Defect ID: SERVER-119679
Missing Authorization Check in updateUser
7.2Defect ID: SERVER-97842
mongodb cpu usage spikes with newer version of openssl on el9
7.2Defect ID: SERVER-110832
OplogWriter should not hold on to session through rollbacks
7.2Defect ID: SERVER-91194
timeseriesBucketsMayHaveMixedSchemaData not properly cloned upon data migration/initial sync/restore

Ready to prevent the next vendor outage?

Get a demo

MongoDB - Defect ID: SERVER-119679

Missing Authorization Check in updateUser

MongoDB - Defect ID: SERVER-119679

Missing Authorization Check in updateUser

Last updated on April 29th, 2026

BugZero Risk Score7.2 High

Bug Details

Info

Top User Comments

Steps to Reproduce

Top MongoDB Defects

Ready to prevent the next vendor outage?

Links

BugZero Risk Score
7.2 High