100 matches found
Apache Pinot < 1.3.0 - Authentication Bypass
This vulnerability allows remote attackers to bypass authentication on affected installations of Apache Pinot. Authentication is not required to exploit this vulnerability.The specific flaw exists within the AuthenticationFilter class. The issue results from insufficient neutralization of special...
PYSEC-2026-410 mcp-pinot: Unauthenticated tool invocation via default oauth_enabled=False + host 0.0.0.0 bind
Resolution Fixed in v3.1.0, released 2026-05-25. The fix was merged in PR 95 at commit 1c7d3f9. The fix changes the default HTTP bind host to 127.0.0.1, refuses non-loopback HTTP/HTTPS exposure unless OAuth is enabled, makes Helm exposure opt-in and OAuth-gated, and adds parser-backed...
PYSEC-2026-267 OS Command Injection in Apache Airflow
Improper Neutralization of Special Elements used in an OS Command 'OS Command Injection' vulnerability in Apache Airflow Pinot Provider, Apache Airflow allows an attacker to control commands executed in the task execution context, without write access to DAG files. This issue affects Apache Airfl...
EUVD-2026-37951
mcp-pinot: Unauthenticated tool invocation via default oauthenabled=False + host 0.0.0.0 bind...
GHSA-73CV-556C-W3G6 mcp-pinot: Unauthenticated tool invocation via default oauth_enabled=False + host 0.0.0.0 bind
Resolution Fixed in v3.1.0, released 2026-05-25. The fix was merged in PR 95 at commit 1c7d3f9. The fix changes the default HTTP bind host to 127.0.0.1, refuses non-loopback HTTP/HTTPS exposure unless OAuth is enabled, makes Helm exposure opt-in and OAuth-gated, and adds parser-backed...
CVE-2026-49257
mcp-pinot is a Python-based Model Context Protocol MCP server for interacting with Apache Pinot. In versions 3.0.1 and below, mcp-pinot defaults to running an HTTP MCP server bound to 0.0.0.0:8080 with no authentication enabled. All MCP tools, including SQL query execution, schema creation, and...
CVE-2026-49257 mcp-pinot: Unauthenticated tool invocation via default oauth_enabled=False + host 0.0.0.0 bind
mcp-pinot is a Python-based Model Context Protocol MCP server for interacting with Apache Pinot. In versions 3.0.1 and below, mcp-pinot defaults to running an HTTP MCP server bound to 0.0.0.0:8080 with no authentication enabled. All MCP tools, including SQL query execution, schema creation, and...
CVE-2026-49257
mcp-pinot is a Python-based Model Context Protocol MCP server for interacting with Apache Pinot. In versions 3.0.1 and below, mcp-pinot defaults to running an HTTP MCP server bound to 0.0.0.0:8080 with no authentication enabled. All MCP tools, including SQL query execution, schema creation, and...
CVE-2026-49257
Summary of CVE-2026-49257 – mcp-pinot : Versions 3.0.1 and earlier run an HTTP MCP server bound to 0.0.0.0:8080 with no authentication, exposing all MCP tools (SQL query execution, schema creation, table-config mutation) to any network-adjacent caller. The server proxies these calls using server-...
PT-2026-50795
Name of the Vulnerable Software and Affected Versions mcp-pinot versions prior to 3.1.0 Description mcp-pinot is a Python-based Model Context Protocol MCP server for interacting with Apache Pinot. The software defaults to running an HTTP MCP server bound to 0.0.0.0:8080 without authentication. Th...
GHSA-5W86-C3RQ-VJJ7 vulnerabilities
Vulnerabilities for packages: pinot-fips, celeborn, thingsboard, management-api-for-apache-cassandra-5.0...
CVE-2026-50011 vulnerabilities
Vulnerabilities for packages: pinot-fips, celeborn, thingsboard, management-api-for-apache-cassandra-5.0...
GHSA-C653-97M9-RCG9 vulnerabilities
Vulnerabilities for packages: opensearch, logstash-fips, spark, tez, kafbat-ui, thingsboard, druid, grpc-java-fips, commercial-elasticsearch, logstash, kayenta, kserve-modelmesh, reposilite, elasticsearch-fips, spark-kubernetes-operator, request-9047-keycloak-fips, neo4j, apache-pulsar-fips,...
CVE-2026-50010 vulnerabilities
Vulnerabilities for packages: opensearch, logstash-fips, spark, tez, kafbat-ui, thingsboard, druid, grpc-java-fips, commercial-elasticsearch, logstash, kayenta, kserve-modelmesh, reposilite, elasticsearch-fips, spark-kubernetes-operator, request-9047-keycloak-fips, neo4j, apache-pulsar-fips,...
CVE-2026-45300 vulnerabilities
Vulnerabilities for packages: apache-pulsar-fips, tez, pinot-fips, apache-pulsar, pinot, druid...
GHSA-FMXF-PM6P-7XGM vulnerabilities
Vulnerabilities for packages: apache-pulsar-fips, tez, pinot-fips, apache-pulsar, pinot, druid...
CVE-2026-44248 vulnerabilities
Vulnerabilities for packages: celeborn, hono, management-api-for-apache-cassandra-5.0, tez, apache-hop-fips, apache-activemq-artemis, seata, apache-hop, pinot-fips, thingsboard, pinot, management-api-for-apache-cassandra-4.1, druid, trino, management-api-for-apache-cassandra-4.0...
GHSA-JFG9-48MV-9QGX vulnerabilities
Vulnerabilities for packages: celeborn, hono, management-api-for-apache-cassandra-5.0, tez, apache-hop-fips, apache-activemq-artemis, seata, apache-hop, pinot-fips, thingsboard, pinot, management-api-for-apache-cassandra-4.1, druid, trino, management-api-for-apache-cassandra-4.0...
GHSA-RGRR-P7GP-5XJ7 vulnerabilities
Vulnerabilities for packages: celeborn, management-api-for-apache-cassandra-5.0, tez, apache-hop-fips, seata, apache-hop, pinot-fips, thingsboard, pinot, management-api-for-apache-cassandra-4.1, druid, trino, management-api-for-apache-cassandra-4.0...
CVE-2026-42586 vulnerabilities
Vulnerabilities for packages: celeborn, management-api-for-apache-cassandra-5.0, tez, apache-hop-fips, seata, apache-hop, pinot-fips, thingsboard, pinot, management-api-for-apache-cassandra-4.1, druid, trino, management-api-for-apache-cassandra-4.0...