Security vulnerability in MongoDB 3.4 and 3.6


In MongoDB Enterprise, when a Mongo server accepts authentication attempts via the PLAIN mechanism on the $external database and is configured to use the Cyrus SASL GSSAPI mechanism for LDAP binding, passwords are not validated.

You can find more details on the MongoDB site: