CVE-2026-9101 - Vulnerability Details

Prototype pollution in csv parsing logic during import can lead to untrusted file paths (but not arguments) entering shell.openExternal after specific user behavior leading to "1-click" command execution.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction Passive

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Mongodb	Compass

No data.

OpenCVE Enrichment is a feature of OpenCVE that uses AI to automatically link vendors and products to CVEs. Learn more on GitHub.

Vendors	Products
Mongodb	Compass

References

Link	Providers
https://jira.mongodb.org/browse/COMPASS-10657

History

Wed, 20 May 2026 18:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Mongodb Mongodb compass
Vendors & Products		Mongodb Mongodb compass

Wed, 20 May 2026 18:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 20 May 2026 16:45:00 +0000

Type	Values Removed	Values Added
Description		Prototype pollution in csv parsing logic during import can lead to untrusted file paths (but not arguments) entering shell.openExternal after specific user behavior leading to "1-click" command execution.
Title		Prototype pollution in csv parsing
Weaknesses		CWE-1321
References		https://jira.mongodb.org/browse/COMPASS-10657
Metrics		cvssV3_1 `{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}` cvssV4_0 `{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N'}`

MITRE

Status: PUBLISHED

Assigner: mongodb

Published: 2026-05-20T16:18:10.689Z

Updated: 2026-05-20T18:05:45.121Z

Reserved: 2026-05-20T16:03:25.137Z

Link: CVE-2026-9101

Vulnrichment

Updated: 2026-05-20T17:48:10.928Z

NVD

Status : Awaiting Analysis

Published: 2026-05-20T17:16:32.517

Modified: 2026-05-20T17:32:35.827

Link: CVE-2026-9101

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-20T18:30:35Z

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction Passive

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

Exploitation none

Automatable no

Technical Impact partial

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object

JSON object