CVE-2026-9735

MongoDB server may log authentication parameters, including credentials, to the server log during SASL authentication. When connection health metric logging is enabled, the full authentication parameters are written to the log without redaction...

dbt MCP Server Transmits All MCP Tool Arguments Including Raw SQL and --vars Credentials to dbt Labs Telemetry by Default Without Redaction

Discovered through manual source code review. Verified by PoC execution against a local dbt-mcp v1.15.1 installation. Summary DefaultUsageTracker.emittoolcalledevent in src/dbtmcp/tracking/tracking.py serializes the complete arguments dictionary of every MCP tool call and transmits it verbatim to...

dbt MCP Server Logs Tool Arguments Including SQL Queries and Credentials in Plaintext Without Redaction When File Logging Is Enabled

Discovered through manual source code review. Verified by PoC execution against a local dbt-mcp v1.15.1 installation. Summary DbtMCP.calltool in src/dbtmcp/mcp/server.py logs the complete raw arguments dictionary at INFO level on every tool invocation line 67 and again at ERROR level if the call...

PT-2026-41149

Discovered through manual source code review. Verified by PoC execution against a local dbt-mcp v1.15.1 installation. Summary DbtMCP.call tool in src/dbt mcp/mcp/server.py logs the complete raw arguments dictionary at INFO level on every tool invocation line 67 and again at ERROR level if the cal...