In MongoDB Enterprise, when a Mongo server accepts authentication attempts via the PLAIN mechanism on the $external database and is configured to use the Cyrus SASL GSSAPI mechanism for LDAP binding, passwords are not validated.
You can find more details on the MongoDB site: https://jira.mongodb.org/browse/SERVER-35610.
- For Sitecore XP 8.2 Update-6, upgrade your MongoDB server to 3.4.16 version.
- For Sitecore XP 8.2 Update-7 and 9.0 Update-2, upgrade your MongoDB server to 3.6.6 version. Additionally, Sitecore XP 8.2 Update-7 requires updating of the Mongo driver as described in the following article: Sitecore 8.2.x support for MongoDb 3.6