Prototype Pollution in CSV Parsing Logic for MongoDB Compass
CVE-2026-9101

5.3MEDIUM

Key Information:

Vendor: Mongodb, Inc.
Status: Compass
Vendor: CVE Published:; 20 May 2026

🔔 Create Mongodb, Inc. Vulnerability Alert

What is CVE-2026-9101?

A vulnerability in the csv parsing logic of MongoDB Compass allows for prototype pollution during the import process. This can result in untrusted file paths being executed through the shell.openExternal command, particularly triggered by specific user actions. Such behavior poses a significant risk of unintended command execution, potentially compromising system integrity.

Affected Version(s)

Compass 1.36.3

Compass 1.36.4

Compass 1.37.0

References

https://jira.mongodb.org/browse/COMPASS-10657

issue-tracking

CVSS V4

Score:

5.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 20, 2026
Vulnerability Reserved
May 20, 2026

CVE-2026-9101 Data

JSON