MongoDB Compass: CSV import prototype pollution leads to 1click exec
CVE-2026-9101 Published on May 20, 2026
Prototype pollution in csv parsing
Prototype pollution in csv parsing logic during import can lead to untrusted file paths (but not arguments) entering shell.openExternal after specific user behavior leading to "1-click" command execution.
Vulnerability Analysis
CVE-2026-9101 can be exploited with network access, requires user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality, with no impact on integrity, and no impact on availability.
Weakness Type
What is a Prototype Pollution Vulnerability?
The software receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.
CVE-2026-9101 has been classified to as a Prototype Pollution vulnerability or weakness.
Products Associated with CVE-2026-9101
Want to know whenever a new CVE is published for MongoDB Compass? stack.watch will email you.
Affected Versions
MongoDB, Inc. Compass:- Version 1.36.3 is affected.
- Version 1.36.4 is affected.
- Version 1.37.0 is affected.
- Version 1.38.0 is affected.
- Version 1.38.1 is affected.
- Version 1.38.2 is affected.
- Version 1.39.0 is affected.
- Version 1.39.1 is affected.
- Version 1.39.2 is affected.
- Version 1.39.3 is affected.
- Version 1.39.4 is affected.
- Version 1.40.0 is affected.
- Version 1.40.1 is affected.
- Version 1.40.2 is affected.
- Version 1.40.3 is affected.
- Version 1.40.4 is affected.
- Version 1.41.0 is affected.
- Version 1.42.0 is affected.
- Version 1.42.1 is affected.
- Version 1.42.2 is affected.
- Version 1.42.3 is affected.
- Version 1.42.5 is affected.
- Version 1.43.0 is affected.
- Version 1.43.1 is affected.
- Version 1.43.2 is affected.
- Version 1.43.3 is affected.
- Version 1.43.4 is affected.
- Version 1.43.5 is affected.
- Version 1.43.6 is affected.
- Version 1.44.0 is affected.
- Version 1.44.3 is affected.
- Version 1.44.4 is affected.
- Version 1.44.5 is affected.
- Version 1.44.6 is affected.
- Version 1.44.7 is affected.
- Version 1.45.0 is affected.
- Version 1.45.1 is affected.
- Version 1.45.2 is affected.
- Version 1.45.3 is affected.
- Version 1.45.4 is affected.
- Version 1.46.0 is affected.
- Version 1.46.1 is affected.
- Version 1.46.2 is affected.
- Version 1.46.3 is affected.
- Version 1.46.4 is affected.
- Version 1.46.5 is affected.
- Version 1.46.6 is affected.
- Version 1.46.7 is affected.
- Version 1.46.8 is affected.
- Version 1.46.9 is affected.
- Version 1.46.10 is affected.
- Version 1.46.11 is affected.
- Version 1.47.0 is affected.
- Version 1.47.1 is affected.
- Version 1.48.0 is affected.
- Version 1.48.1 is affected.
- Version 1.48.2 is affected.
- Version 1.49.0 is affected.
- Version 1.49.1 is affected.
- Version 1.49.2 is affected.
- Version 1.49.3 is affected.
- Version 1.49.4 is affected.
- Version 1.49.5 is affected.