While i think the severity of this VT should be raised using a Complete (C) for Confidentiality Impact (C) and Integrity Impact (I) doesn’t look correct to me:
As an attacker you don’t have full control (like when having “root” access to a system) but only access to the data the target system (in this case the MongoDB service) is providing to you.
Maybe the following rating similar to whats already used in Redis Server No Password (OID: 1.3.6.1.4.1.25623.1.0.105291):
script_tag(name:"cvss_base", value:"7.5");
script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:N/C:P/I:P/A:P");
In the case of the Availability (A) you’re able to control the availability of the service by e.g. dropping / deleting the data in the scope you have access.