Description
Prototype pollution in csv parsing logic during import can lead to untrusted file paths (but not arguments) entering shell.openExternal after specific user behavior leading to "1-click" command execution.
Published: 2026-05-20
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in the CSV parsing routine of MongoDB Compass allows an attacker to inject malicious properties into the object prototype. When a user imports a specially crafted CSV file, the polluted prototype can cause an untrusted file path to be passed to shell.openExternal, which may execute arbitrary shell commands with the user's privileges after a single click.

Affected Systems

The vulnerability applies to MongoDB, Inc. Compass. No specific affected version information is supplied, so all versions that use the current import logic may be impacted until an update is released.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity. Without an EPSS value the exact exploitation likelihood cannot be quantified, and the vulnerability is not listed in CISA KEV, suggesting no known widespread exploitation yet. Inferred attack vectors point to local exploitation via CSV import; an attacker would need to supply a malicious CSV to a user who then opens it, making the risk concentrated in environments where untrusted files are imported. Nonetheless, the potential for command execution warrants prompt mitigation.

Generated by OpenCVE AI on May 20, 2026 at 17:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Verify the latest Compass release and apply any available patch that addresses prototype pollution in CSV import.
  • Restrict CSV import to trusted sources and validate file paths before they are sent to shell.openExternal.
  • Sanitize all input data against prototype modification and enforce strict property checks to prevent unauthorized prototype changes.
  • If a patch is not yet available, disable shell.openExternal for CSV import operations or employ an out-of-context execution sandbox.

Generated by OpenCVE AI on May 20, 2026 at 17:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 20 May 2026 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Mongodb
Mongodb compass
Vendors & Products Mongodb
Mongodb compass

Wed, 20 May 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 20 May 2026 16:45:00 +0000

Type Values Removed Values Added
Description Prototype pollution in csv parsing logic during import can lead to untrusted file paths (but not arguments) entering shell.openExternal after specific user behavior leading to "1-click" command execution.
Title Prototype pollution in csv parsing
Weaknesses CWE-1321
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Mongodb Compass
cve-icon MITRE

Status: PUBLISHED

Assigner: mongodb

Published:

Updated: 2026-05-20T18:05:45.121Z

Reserved: 2026-05-20T16:03:25.137Z

Link: CVE-2026-9101

cve-icon Vulnrichment

Updated: 2026-05-20T17:48:10.928Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-20T17:16:32.517

Modified: 2026-05-20T17:32:35.827

Link: CVE-2026-9101

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-20T18:30:35Z

Weaknesses