CVE-2026-44970
CVE-2026-44970 affects dbt-mcp prior to v1.17.1. The DefaultUsageTracker.emit_tool_called_event() serializes every MCP tool call’s arguments (e.g., sql_query from show, vars from run/build/test, node_selection from compile) and transmits them to dbt Labs telemetry without redaction. Telemetry is ...