Weak or Default Credentials - MongoDB
If MongoDB is configured with authentication disabled or with weak credentials, an attacker may disclose or modify data stored in the database, including usernames and passwords of database users. The default configuration for MongoDB servers permits full access without requiring authentication. Weak credentials include passwords that are easily obtained by password guessing, password spraying, or cracked using dictionary attacks. Default passwords are publicly known and obtainable by an attacker and provide immediate access to a system.
An attacker can access, disclose, and modify data stored in the database, including usernames and password of other database users.