CVE-2026-44968 dbt-mcp: Argument Injection in dbt CLI Tool Wrappers via node_selection and resource_type Parameters
dbt-mcp is a Model Context Protocol server for interacting with dbt. Prior to 1.17.1, rundbtcommand in src/dbtmcp/dbtcli/tools.py appended unsanitized nodeselection and resourcetype values to the dbt subprocess argument list, allowing an MCP client to inject dbt global flags such as --profiles-di...