CVE-2026-59509

cve-search · cve-search

The cve-search application is vulnerable to improper input validation in its API, allowing unauthenticated remote attackers to read arbitrary MongoDB collections, including administrative credentials.

Executive summary

An unauthenticated input validation vulnerability in cve-search allows remote attackers to exfiltrate administrative credentials from the underlying MongoDB database.

Vulnerability

This vulnerability is an Improper Input Validation (CWE-20) issue located in the POST /fetch_cve_data endpoint. By manipulating request parameters, an unauthenticated attacker can query arbitrary MongoDB collections, including those containing administrative user hashes.

Business impact

Successful exploitation allows an attacker to extract user data and password hashes, which can then be cracked offline to gain full administrative control over the cve-search instance. With a CVSS score of 9.2, this represents a critical risk, especially if the instance is used to manage sensitive vulnerability management data or is integrated into other security workflows.

Remediation

Immediate Action: Update the cve-search software to the latest version as specified in the vendor's security advisory.

Proactive Monitoring: Review access logs for the /fetch_cve_data endpoint, specifically looking for unusual regex patterns or attempts to access collections other than those intended for standard use.

Compensating Controls: Restrict network access to the cve-search instance using IP allowlisting or VPN requirements to prevent unauthorized access to the API endpoints.

Exploitation status

Public Exploit Available: False

Analyst recommendation

Given the ease of access to administrative hashes, this vulnerability must be patched immediately. Ensure that the update is applied and verify that the instance is not exposed to the public internet without proper authentication or network-level restrictions.