2 matches found
CVE-2026-44968
dbt-mcp is a Model Context Protocol server for interacting with dbt. Prior to 1.17.1, rundbtcommand in src/dbtmcp/dbtcli/tools.py appended unsanitized nodeselection and resourcetype values to the dbt subprocess argument list, allowing an MCP client to inject dbt global flags such as --profiles-di...
CVE-2026-44968
Summary: CVE-2026-44968 affects dbt-mcp (Model Context Protocol server). Prior to v1.17.1, _run_dbt_command() in src/dbt_mcp/dbt_cli/tools.py appended user-supplied MCP parameters to the dbt subprocess argv without validation. This enables argument-list injection via two vectors: (1) node_selecti...