Lucene search
K

100 matches found

Nuclei
Nuclei
added 10 hours ago65 views

Apache Pinot < 1.3.0 - Authentication Bypass

This vulnerability allows remote attackers to bypass authentication on affected installations of Apache Pinot. Authentication is not required to exploit this vulnerability.The specific flaw exists within the AuthenticationFilter class. The issue results from insufficient neutralization of special...

9.8CVSS7.2AI score0.78668EPSS
Exploits0References4
OSV
OSV
added 2026/06/29 11:50 a.m.5 views

PYSEC-2026-410 mcp-pinot: Unauthenticated tool invocation via default oauth_enabled=False + host 0.0.0.0 bind

Resolution Fixed in v3.1.0, released 2026-05-25. The fix was merged in PR 95 at commit 1c7d3f9. The fix changes the default HTTP bind host to 127.0.0.1, refuses non-loopback HTTP/HTTPS exposure unless OAuth is enabled, makes Helm exposure opt-in and OAuth-gated, and adds parser-backed...

10CVSS6.1AI score0.00498EPSS
Exploits0References8
OSV
OSV
added 2026/06/29 11:50 a.m.7 views

PYSEC-2026-267 OS Command Injection in Apache Airflow

Improper Neutralization of Special Elements used in an OS Command 'OS Command Injection' vulnerability in Apache Airflow Pinot Provider, Apache Airflow allows an attacker to control commands executed in the task execution context, without write access to DAG files. This issue affects Apache Airfl...

9.8CVSS7.4AI score0.03228EPSS
Exploits0References7
EUVD
EUVD
added 2026/06/26 9:5 p.m.11 views

EUVD-2026-37951

mcp-pinot: Unauthenticated tool invocation via default oauthenabled=False + host 0.0.0.0 bind...

10CVSS5.8AI score0.00498EPSS
Exploits0References5
OSV
OSV
added 2026/06/26 9:5 p.m.2 views

GHSA-73CV-556C-W3G6 mcp-pinot: Unauthenticated tool invocation via default oauth_enabled=False + host 0.0.0.0 bind

Resolution Fixed in v3.1.0, released 2026-05-25. The fix was merged in PR 95 at commit 1c7d3f9. The fix changes the default HTTP bind host to 127.0.0.1, refuses non-loopback HTTP/HTTPS exposure unless OAuth is enabled, makes Helm exposure opt-in and OAuth-gated, and adds parser-backed...

10CVSS6.1AI score0.00498EPSS
Exploits0References6
NVD
NVD
added 2026/06/18 9:16 p.m.14 views

CVE-2026-49257

mcp-pinot is a Python-based Model Context Protocol MCP server for interacting with Apache Pinot. In versions 3.0.1 and below, mcp-pinot defaults to running an HTTP MCP server bound to 0.0.0.0:8080 with no authentication enabled. All MCP tools, including SQL query execution, schema creation, and...

10CVSS0.00498EPSS
Exploits0References4
Cvelist
Cvelist
added 2026/06/18 9:1 p.m.21 views

CVE-2026-49257 mcp-pinot: Unauthenticated tool invocation via default oauth_enabled=False + host 0.0.0.0 bind

mcp-pinot is a Python-based Model Context Protocol MCP server for interacting with Apache Pinot. In versions 3.0.1 and below, mcp-pinot defaults to running an HTTP MCP server bound to 0.0.0.0:8080 with no authentication enabled. All MCP tools, including SQL query execution, schema creation, and...

10CVSS0.00498EPSS
Exploits0References4
ATTACKERKB
ATTACKERKB
added 2026/06/18 9:1 p.m.14 views

CVE-2026-49257

mcp-pinot is a Python-based Model Context Protocol MCP server for interacting with Apache Pinot. In versions 3.0.1 and below, mcp-pinot defaults to running an HTTP MCP server bound to 0.0.0.0:8080 with no authentication enabled. All MCP tools, including SQL query execution, schema creation, and...

10CVSS5.6AI score0.00498EPSS
Exploits0References5Affected Software1
CVE
CVE
added 2026/06/18 9:1 p.m.72 views

CVE-2026-49257

Summary of CVE-2026-49257 – mcp-pinot : Versions 3.0.1 and earlier run an HTTP MCP server bound to 0.0.0.0:8080 with no authentication, exposing all MCP tools (SQL query execution, schema creation, table-config mutation) to any network-adjacent caller. The server proxies these calls using server-...

10CVSS5.6AI score0.00498EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/06/18 12:0 a.m.21 views

PT-2026-50795

Name of the Vulnerable Software and Affected Versions mcp-pinot versions prior to 3.1.0 Description mcp-pinot is a Python-based Model Context Protocol MCP server for interacting with Apache Pinot. The software defaults to running an HTTP MCP server bound to 0.0.0.0:8080 without authentication. Th...

10CVSS5.9AI score0.00498EPSS
Exploits0References15
Chainguard
Chainguard
added 2026/06/16 8:22 p.m.12 views

GHSA-C653-97M9-RCG9 vulnerabilities

Vulnerabilities for packages: cassandra, solr, opensearch, druid, wazuh-indexer, elasticsearch-fips, ghidra, grpc-java-fips, logstash, spark-kubernetes-operator, management-api-for-apache-cassandra-5.0, knative-kafka-broker-fips, celeborn, kayenta-fips, elasticsearch, spark, kafka, tez,...

6.1AI score
Exploits0
Chainguard
Chainguard
added 2026/06/16 8:22 p.m.10 views

GHSA-5W86-C3RQ-VJJ7 vulnerabilities

Vulnerabilities for packages: celeborn, thingsboard, pinot-fips, management-api-for-apache-cassandra-5.0...

6.1AI score
Exploits0
Chainguard
Chainguard
added 2026/06/16 8:22 p.m.10 views

CVE-2026-50010 vulnerabilities

Vulnerabilities for packages: cassandra, solr, opensearch, druid, wazuh-indexer, elasticsearch-fips, ghidra, grpc-java-fips, logstash, spark-kubernetes-operator, management-api-for-apache-cassandra-5.0, knative-kafka-broker-fips, celeborn, kayenta-fips, elasticsearch, spark, kafka, tez,...

7.5CVSS7AI score0.00269EPSS
Exploits0
Chainguard
Chainguard
added 2026/06/16 8:22 p.m.11 views

CVE-2026-50011 vulnerabilities

Vulnerabilities for packages: celeborn, thingsboard, pinot-fips, management-api-for-apache-cassandra-5.0...

7.5CVSS7AI score0.0038EPSS
Exploits0
Chainguard
Chainguard
added 2026/05/19 7:18 a.m.11 views

GHSA-FMXF-PM6P-7XGM vulnerabilities

Vulnerabilities for packages: tez, apache-pulsar, pinot-fips, apache-pulsar-fips, pinot, druid...

6.1AI score
Exploits0
Chainguard
Chainguard
added 2026/05/19 7:18 a.m.20 views

CVE-2026-45300 vulnerabilities

Vulnerabilities for packages: tez, apache-pulsar, pinot-fips, apache-pulsar-fips, pinot, druid...

7.4CVSS6.1AI score0.00322EPSS
Exploits1
Chainguard
Chainguard
added 2026/05/08 1:17 p.m.15 views

CVE-2026-44248 vulnerabilities

Vulnerabilities for packages: apache-hop, apache-activemq-artemis, apache-hop-fips, management-api-for-apache-cassandra-4.1, pinot-fips, seata, tez, celeborn, pinot, druid, management-api-for-apache-cassandra-4.0, thingsboard, trino, management-api-for-apache-cassandra-5.0, hono...

7.5CVSS6.7AI score0.00455EPSS
Exploits0
Chainguard
Chainguard
added 2026/05/08 1:17 p.m.11 views

GHSA-JFG9-48MV-9QGX vulnerabilities

Vulnerabilities for packages: apache-hop, apache-activemq-artemis, apache-hop-fips, management-api-for-apache-cassandra-4.1, pinot-fips, seata, tez, celeborn, pinot, druid, management-api-for-apache-cassandra-4.0, thingsboard, trino, management-api-for-apache-cassandra-5.0, hono...

6.1AI score
Exploits0
Chainguard
Chainguard
added 2026/05/08 1:17 p.m.18 views

CVE-2026-42586 vulnerabilities

Vulnerabilities for packages: apache-hop, apache-hop-fips, management-api-for-apache-cassandra-4.1, pinot-fips, seata, tez, celeborn, pinot, druid, management-api-for-apache-cassandra-4.0, thingsboard, trino, management-api-for-apache-cassandra-5.0...

7.1CVSS6.7AI score0.00198EPSS
Exploits1
Chainguard
Chainguard
added 2026/05/08 1:17 p.m.16 views

GHSA-RGRR-P7GP-5XJ7 vulnerabilities

Vulnerabilities for packages: apache-hop, apache-hop-fips, management-api-for-apache-cassandra-4.1, pinot-fips, seata, tez, celeborn, pinot, druid, management-api-for-apache-cassandra-4.0, thingsboard, trino, management-api-for-apache-cassandra-5.0...

6.1AI score
Exploits0
Rows per page
Query Builder