criticalInfrastructure

MongoDB Running Without Authentication

What Is This Vulnerability?

A MongoDB instance running without authentication allows anyone who can reach the network port to read, modify, or delete all data in every database. Thousands of MongoDB instances are exposed on the internet without authentication, and automated bots continuously scan for them to steal or ransom the data they contain.

Why It Happens

MongoDB ships with authentication disabled by default in many installation methods. Developers spin up instances for local development without auth and deploy them the same way. Docker images of MongoDB start without authentication unless explicitly configured. Cloud deployments sometimes expose the default port (27017) to the public internet through misconfigured security groups.

Example Code

Vulnerabledocker-compose.yml
version: "3.8"
services:
  mongodb:
    image: mongo:7
    ports:
      - "27017:27017"
    volumes:
      - mongo_data:/data/db

volumes:
  mongo_data:
Fixeddocker-compose.yml
version: "3.8"
services:
  mongodb:
    image: mongo:7
    ports:
      - "127.0.0.1:27017:27017"
    environment:
      MONGO_INITDB_ROOT_USERNAME: ${MONGO_USER}
      MONGO_INITDB_ROOT_PASSWORD: ${MONGO_PASSWORD}
    volumes:
      - mongo_data:/data/db
    command: ["mongod", "--auth", "--bind_ip", "127.0.0.1"]

volumes:
  mongo_data:

How Hackers Exploit It

Automated bots scan the entire internet for open port 27017. When they find an unauthenticated MongoDB instance, they dump all databases, delete the data, and leave a ransom note demanding Bitcoin payment for its return. Attackers also use exposed MongoDB instances to harvest user credentials, personal data, and intellectual property for sale on dark web marketplaces.

How to Fix It

Enable authentication by starting MongoDB with the --auth flag and creating admin users. Bind MongoDB to localhost or a private network interface rather than 0.0.0.0. Use firewall rules and security groups to restrict access to the MongoDB port. Enable TLS for connections. Use SCRAM-SHA-256 authentication and create dedicated database users with minimal privileges for each application.

Frequently Asked Questions

How do I enable authentication on an existing MongoDB instance?
Connect to MongoDB, switch to the admin database, and create an admin user with db.createUser(). Then restart MongoDB with the --auth flag or set security.authorization to 'enabled' in the mongod.conf file. Update your application connection strings to include the username and password credentials.
Is binding MongoDB to localhost enough?
Binding to localhost prevents remote access but does not protect against local attacks or container networking issues. Always enable authentication in addition to network restrictions. In Docker or Kubernetes environments, containers on the same network can still reach each other, so authentication is essential even with bind address restrictions.
How do I check if my MongoDB requires authentication?
Try connecting without credentials using 'mongosh mongodb://your-server:27017' and run 'show dbs'. If you can list databases without providing a username and password, authentication is not enabled. You can also check the MongoDB configuration file for the security.authorization setting or the --auth startup flag.

Related Security Topics

Debug Mode Enabled in Production

Learn about debug mode enabled in production and how to fix it.

No Rate Limiting on API Endpoints

Learn about no rate limiting on api endpoints and how to fix it.

Admin Panel Accessible Without Authentication

Learn about admin panel accessible without authentication and how to fix it.

Check Your Code for This Vulnerability

Run a free scan to check if your site is affected by mongodb running without authentication.