This vulnerability (CVE-2026-9101) concerns improper control of object prototype attributes (CWE-1321) in MongoDB Compass's CSV import functionality. Specifically, the prototype pollution flaw allows untrusted file paths to enter the shell.openExternal function, enabling command execution with minimal user interaction. The affected versions span from 1.36.3 to 1.49.5. The CVSS 4.0 vector indicates network attack vector, low attack complexity, no privileges required, user interaction required, and low impact on confidentiality and integrity, with no impact on availability. No official patch or remediation guidance is currently available, and no exploits have been observed in the wild.

Successful exploitation can lead to execution of commands via shell.openExternal triggered by untrusted file paths after user interaction. This could allow an attacker to execute arbitrary commands with the privileges of the Compass user. However, the attack requires specific user behavior and does not affect confidentiality, integrity, or availability significantly, resulting in a medium severity rating.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since no official fix or remediation level is provided, users should exercise caution when importing CSV files from untrusted sources and avoid performing the specific user actions that trigger the vulnerability until a patch is available.