CVE-2026-59509 in cve-searchinfo

Summary

by MITRE • 07/05/2026

An unauthenticated improper input validation vulnerability in the POST /fetch_cve_data endpoint in cve-search. A remote attacker can manipulate request parameters controlling the MongoDB collection, projected fields, and regular-expression filters to read arbitrary application MongoDB collections. This can expose administrative usernames and password hashes from the mgmt_users collection, enabling offline password cracking and potential administrative account compromise.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Analysis

by VulDB Data Team • 07/05/2026

This vulnerability resides within the cve-search application's POST /fetch_cve_data endpoint where inadequate input validation allows remote attackers to manipulate database query parameters without authentication. The flaw stems from improper sanitization of user-supplied data that is directly incorporated into MongoDB aggregation pipelines, creating a path for unauthorized data access through crafted HTTP requests. The vulnerability operates at the intersection of insecure data handling and weak access controls, enabling attackers to bypass normal authorization mechanisms and access sensitive database collections.

The technical implementation of this flaw involves parameter manipulation within MongoDB query structures where attacker-controlled inputs are directly embedded into collection names, field projections, and regular expression filters. This creates a classic case of insecure direct object reference combined with command injection in database contexts. The vulnerability permits access to arbitrary MongoDB collections beyond the intended scope of the application's data retrieval functionality, specifically exposing the mgmt_users collection which contains administrative credentials.

The operational impact of this vulnerability extends beyond simple data exposure to enable full administrative compromise of the affected system. By accessing the mgmt_users collection, attackers gain access to username and password hash combinations that can be subjected to offline dictionary attacks or brute force cracking techniques. This represents a critical security degradation where a single unauthenticated vulnerability provides access to administrative credentials that could lead to complete system compromise. The exposure of password hashes without additional protection mechanisms such as proper salting or hashing algorithms significantly reduces the time and resources required for successful credential compromise.

Mitigation strategies should focus on implementing strict input validation and sanitization measures that prevent user-supplied parameters from being directly incorporated into database queries. The application must enforce authentication requirements for all data access endpoints and implement proper authorization controls to restrict database access based on user roles. Additionally, the system should employ parameterized queries or object-relational mapping techniques that separate user input from database command execution. This vulnerability aligns with CWE-20 (Improper Input Validation) and CWE-89 (SQL Injection) classifications, while the attack pattern follows ATT&CK technique T1213.002 (Data from Information Repositories) and T1566.002 (Phishing) as attackers may use the exposed credentials for further exploitation.

Organizations should implement comprehensive database access logging to detect unauthorized access attempts and establish network segmentation controls to limit direct database connectivity from web applications. Regular security assessments should include testing for similar input validation flaws across all application endpoints that interact with backend databases. The vulnerability demonstrates the critical importance of principle of least privilege in database access design where application components should only have access to the specific data required for their legitimate functions rather than broad collection-level permissions.

Responsible

CIRCL

Reservation

07/05/2026

Disclosure

07/05/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Do you need the next level of professionalism?

Upgrade your account now!