Lucene search
+L

18 matches found

NVD
NVD
added 3 days ago9 views

CVE-2026-44969

dbt-mcp is a Model Context Protocol server for interacting with dbt. Prior to 1.17.1, DbtMCP.calltool in src/dbtmcp/mcp/server.py logged the raw arguments dictionary at INFO level before each tool call and at ERROR level on exceptions, and configurefilelogging wrote those records to dbt-mcp.log...

2.5CVSS0.00104EPSS
Exploits0References4
NVD
NVD
added 3 days ago8 views

CVE-2026-44970

dbt-mcp is a Model Context Protocol server for interacting with dbt. Prior to 1.17.1, DefaultUsageTracker.emittoolcalledevent in src/dbtmcp/tracking/tracking.py serialized every MCP tool call's complete arguments dictionary and sent it through dbtlabsvortex.producer.logproto without redaction,...

3.1CVSS0.00205EPSS
Exploits0References4
Cvelist
Cvelist
added 3 days ago37 views

CVE-2026-44969 dbt-mcp: Tool Arguments Including SQL Queries and Credentials Logged in Plaintext Without Redaction When File Logging Is Enabled

dbt-mcp is a Model Context Protocol server for interacting with dbt. Prior to 1.17.1, DbtMCP.calltool in src/dbtmcp/mcp/server.py logged the raw arguments dictionary at INFO level before each tool call and at ERROR level on exceptions, and configurefilelogging wrote those records to dbt-mcp.log...

2.5CVSS0.00104EPSS
Exploits0References4
CVE
CVE
added 3 days ago14 views

CVE-2026-44969

dbt-mcp: CVE-2026-44969 involves logging of complete tool call arguments (including sql_query, vars, and node_selection) in plaintext when DBT_MCP_SERVER_FILE_LOGGING is enabled. The issue is present in earlier versions (e.g., v1.15.x) and fixed in v1.17.1. Connected sources confirm that argument...

2.5CVSS6.1AI score0.00104EPSS
Exploits0References4
OSV
OSV
added 3 days ago4 views

CVE-2026-44969 dbt-mcp: Tool Arguments Including SQL Queries and Credentials Logged in Plaintext Without Redaction When File Logging Is Enabled

dbt-mcp is a Model Context Protocol server for interacting with dbt. Prior to 1.17.1, DbtMCP.calltool in src/dbtmcp/mcp/server.py logged the raw arguments dictionary at INFO level before each tool call and at ERROR level on exceptions, and configurefilelogging wrote those records to dbt-mcp.log...

2.5CVSS6.1AI score0.00104EPSS
Exploits0References6
CVE
CVE
added 3 days ago29 views

CVE-2026-44970

CVE-2026-44970 affects dbt-mcp prior to v1.17.1. The DefaultUsageTracker.emit_tool_called_event() serializes every MCP tool call’s arguments (e.g., sql_query from show, vars from run/build/test, node_selection from compile) and transmits them to dbt Labs telemetry without redaction. Telemetry is ...

3.1CVSS6.1AI score0.00205EPSS
Exploits0References4
Cvelist
Cvelist
added 3 days ago39 views

CVE-2026-44970 dbt-mcp: All MCP Tool Arguments Including Raw SQL and --vars Credentials Transmitted to dbt Labs Telemetry by Default Without Redaction

dbt-mcp is a Model Context Protocol server for interacting with dbt. Prior to 1.17.1, DefaultUsageTracker.emittoolcalledevent in src/dbtmcp/tracking/tracking.py serialized every MCP tool call's complete arguments dictionary and sent it through dbtlabsvortex.producer.logproto without redaction,...

3.1CVSS0.00205EPSS
Exploits0References4
OSV
OSV
added 3 days ago5 views

CVE-2026-44970 dbt-mcp: All MCP Tool Arguments Including Raw SQL and --vars Credentials Transmitted to dbt Labs Telemetry by Default Without Redaction

dbt-mcp is a Model Context Protocol server for interacting with dbt. Prior to 1.17.1, DefaultUsageTracker.emittoolcalledevent in src/dbtmcp/tracking/tracking.py serialized every MCP tool call's complete arguments dictionary and sent it through dbtlabsvortex.producer.logproto without redaction,...

3.1CVSS6.1AI score0.00205EPSS
Exploits0References6
CVE
CVE
added 3 days ago21 views

CVE-2026-44968

Summary: CVE-2026-44968 affects dbt-mcp (Model Context Protocol server). Prior to v1.17.1, _run_dbt_command() in src/dbt_mcp/dbt_cli/tools.py appended user-supplied MCP parameters to the dbt subprocess argv without validation. This enables argument-list injection via two vectors: (1) node_selecti...

6.3CVSS6.1AI score0.00137EPSS
Exploits0References4
Cvelist
Cvelist
added 3 days ago38 views

CVE-2026-44968 dbt-mcp: Argument Injection in dbt CLI Tool Wrappers via node_selection and resource_type Parameters

dbt-mcp is a Model Context Protocol server for interacting with dbt. Prior to 1.17.1, rundbtcommand in src/dbtmcp/dbtcli/tools.py appended unsanitized nodeselection and resourcetype values to the dbt subprocess argument list, allowing an MCP client to inject dbt global flags such as --profiles-di...

6.3CVSS0.00137EPSS
Exploits0References4
OSV
OSV
added 3 days ago6 views

CVE-2026-44968 dbt-mcp: Argument Injection in dbt CLI Tool Wrappers via node_selection and resource_type Parameters

dbt-mcp is a Model Context Protocol server for interacting with dbt. Prior to 1.17.1, rundbtcommand in src/dbtmcp/dbtcli/tools.py appended unsanitized nodeselection and resourcetype values to the dbt subprocess argument list, allowing an MCP client to inject dbt global flags such as --profiles-di...

6.3CVSS6.1AI score0.00137EPSS
Exploits0References6
Snyk
Snyk
added 2026/06/19 9:15 p.m.6 views

Origin Validation Error

Overview dbt-mcp is an A MCP Model Context Protocol server for interacting with dbt resources. Affected versions of this package are vulnerable to Origin Validation Error in the GET /dbtplatformcontext endpoint, which is exposed without authentication or host-origin validation. An attacker can...

7.6CVSS5.8AI score
Exploits0References3
Snyk
Snyk
added 2026/05/14 6:25 p.m.9 views

Insertion of Sensitive Information Into Sent Data

Overview dbt-mcp is an A MCP Model Context Protocol server for interacting with dbt resources. Affected versions of this package are vulnerable to Insertion of Sensitive Information Into Sent Data in the emittoolcalledevent process, which serializes and transmits all tool arguments, including...

3.1CVSS5.8AI score0.00205EPSS
Exploits0References2
OSV
OSV
added 2026/05/14 6:24 p.m.6 views

GHSA-7XGW-6QF3-7W59 dbt MCP Server Logs Tool Arguments Including SQL Queries and Credentials in Plaintext Without Redaction When File Logging Is Enabled

Discovered through manual source code review. Verified by PoC execution against a local dbt-mcp v1.15.1 installation. Summary DbtMCP.calltool in src/dbtmcp/mcp/server.py logs the complete raw arguments dictionary at INFO level on every tool invocation line 67 and again at ERROR level if the call...

2.5CVSS6AI score0.00104EPSS
Exploits0References3
Snyk
Snyk
added 2026/05/14 6:24 p.m.9 views

Arbitrary Argument Injection

Overview dbt-mcp is an A MCP Model Context Protocol server for interacting with dbt resources. Affected versions of this package are vulnerable to Arbitrary Argument Injection via the nodeselection or resourcetype parameters in the rundbtcommand process. An attacker can override configuration fil...

7.2CVSS6AI score0.00137EPSS
Exploits0References2
Github Security Blog
Github Security Blog
added 2026/05/14 6:24 p.m.16 views

dbt MCP Server has an Argument Injection in dbt CLI Tool Wrappers via node_selection and resource_type Parameters

Discovered through manual source code review. Verified by PoC execution against a local dbt-mcp v1.15.1 installation. Summary rundbtcommand in src/dbtmcp/dbtcli/tools.py constructs the dbt subprocess argument list by appending user-supplied MCP tool parameters without sanitization. Two independen...

6.3CVSS6.1AI score0.00137EPSS
Exploits0References3Affected Software1
Positive Technologies
Positive Technologies
added 2026/05/14 12:0 a.m.15 views

PT-2026-41149

Name of the Vulnerable Software and Affected Versions dbt-mcp version 1.15.1 Description The DbtMCP.call tool function in src/dbt mcp/mcp/server.py logs the complete raw arguments dictionary at the INFO level for every tool invocation and at the ERROR level if an exception occurs. No fields are...

2.5CVSS6.1AI score0.00104EPSS
Exploits0References10
Circl
Circl
added 2026/05/13 3:1 p.m.10 views

CVE-2026-44970

creationtimestamp| type| source ---|---|--- 2026-05-13 15:01:46+00:00| published-proof-of-concept| https://github.com/dbt-labs/dbt-mcp/security/advisories/GHSA-jj54-r8gm-2fcf...

3.1CVSS4.9AI score0.00205EPSS
Exploits0References1
Rows per page
Query Builder