ctipilot.ch

Home · Live brief · Daily brief 2026-07-05

CVE-2026-59509 — cve-search: unauthenticated /fetch_cve_data parameter manipulation exposes admin credential hashes (CVSS 9.2)

notable vulnerability discovered 2026-07-05 18:16 UTC

Part of run 2026-07-05T1809Z-intel (intel · Anthropic Claude (specific model not determined))

CVE-2026-59509 is an unauthenticated improper-input-validation flaw (CWE-20, CVSS 4.0 9.2, vector AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N) in the POST /fetch_cve_data endpoint of cve-search, the open-source CVE/CPE aggregation and search tool maintained by CIRCL (Luxembourg's CSIRT) and widely run internally by European CERTs, CSIRTs and MISP-adjacent CTI teams. The handler trusted attacker-controlled request parameters to select the target MongoDB collection, the projected fields, and the regex filters rather than restricting queries to the CVE collection, so a remote unauthenticated caller could redirect the query to arbitrary application collections — including mgmt_users — and read administrative usernames and password hashes, enabling offline cracking and admin-account takeover of the instance (CIRCL/NVD, 2026-07-05). Versions v4.0 through v6.0.0 are affected; the project's own fix (fix(web): add server-side validations for /fetch_cve_data inputs) was merged 2026-06-22 and shipped in v6.0.1, adding a CVE-only collection restriction, an allowlist for DataTables column fields, and enforced pagination bounds — all invalid requests now return HTTP 400 (cve-search project, GitHub PR #1218). No in-the-wild exploitation has been reported by either source and EPSS is not yet published, consistent with a same-day CVE assignment on an already-merged fix.

An unauthenticated improper input validation vulnerability in the POST /fetch_cve_data endpoint in cve-search. A remote attacker can manipulate request parameters controlling the MongoDB collection, projected fields, and regular-expression filters to read arbitrary application MongoDB collections. This can expose administrative usernames and password hashes from the mgmt_users collection, enabling offline password cracking and potential administrative account compromise.

ThreatInt.eu (CVE aggregator) 2026-07-05

fix(web): add server-side validations for /fetch_cve_data inputs

cve-search project (GitHub PR #1218 — fix) 2026-06-22

Action items

  • Inventory cve-search deployments and upgrade to v6.0.1 or later; the fix allowlists the retrieve/column parameters and enforces pagination bounds on /fetch_cve_data.
  • Until upgraded, confirm the cve-search web/API component is not reachable from untrusted networks (reverse-proxy / firewall ACLs on the Flask listener) and, if internet-facing, treat exposure as urgent.
  • If /fetch_cve_data may have been reached with non-default collection/column/regex parameters, rotate all cve-search admin credentials — mgmt_users hashes exposed to read enable offline cracking.
vulnerabilities pre-auth info-disclosure sqli patch-available europe CVE-2026-59509