CVE-2026-9101

Vulnerability

In MongoDB Compass, the CSV import functionality parses headers and data. A prototype pollution vulnerability exists in the CSV parsing logic that can be triggered during import. An attacker can craft a malicious CSV file that, when imported by a targeted user, pollutes the Object prototype. This allows untrusted file paths (but not arguments) to be passed to shell.openExternal, leading to command execution. The affected versions are not explicitly listed, but the issue was fixed in a later release.

Exploitation

The attacker must convince the user to import a malicious CSV file. No authentication or special network position is required beyond delivering the file. The user action of importing the file triggers the prototype pollution. The specific behavior needed is the user initiating the CSV import in Compass. The attacker does not need further interaction once the file is imported.

Impact

Successful exploitation allows an attacker to execute arbitrary commands on the user's system with the privileges of the user running Compass. This is a '1-click' attack, as only a single user action (import) is needed. The impact includes full compromise of confidentiality, integrity, and availability of the affected system.

Mitigation

The vulnerability is fixed in a later version of MongoDB Compass as indicated by the JIRA ticket [1]. Users should upgrade to the latest version. No workarounds are provided. The CVE is not listed in CISA's Known Exploited Vulnerabilities catalog as of publication.