Lucene search
K

11 matches found

OSV
OSV
added 2026/05/14 6:25 p.m.10 views

GHSA-JJ54-R8GM-2FCF dbt MCP Server Transmits All MCP Tool Arguments Including Raw SQL and --vars Credentials to dbt Labs Telemetry by Default Without Redaction

Discovered through manual source code review. Verified by PoC execution against a local dbt-mcp v1.15.1 installation. Summary DefaultUsageTracker.emittoolcalledevent in src/dbtmcp/tracking/tracking.py serializes the complete arguments dictionary of every MCP tool call and transmits it verbatim to...

3.1CVSS6AI score0.00042EPSS
Exploits0References3
OSV
OSV
added 2026/05/14 6:24 p.m.6 views

GHSA-7XGW-6QF3-7W59 dbt MCP Server Logs Tool Arguments Including SQL Queries and Credentials in Plaintext Without Redaction When File Logging Is Enabled

Discovered through manual source code review. Verified by PoC execution against a local dbt-mcp v1.15.1 installation. Summary DbtMCP.calltool in src/dbtmcp/mcp/server.py logs the complete raw arguments dictionary at INFO level on every tool invocation line 67 and again at ERROR level if the call...

2.5CVSS6AI score0.00012EPSS
Exploits0References3
Github Security Blog
Github Security Blog
added 2026/05/14 6:24 p.m.14 views

dbt MCP Server Logs Tool Arguments Including SQL Queries and Credentials in Plaintext Without Redaction When File Logging Is Enabled

Discovered through manual source code review. Verified by PoC execution against a local dbt-mcp v1.15.1 installation. Summary DbtMCP.calltool in src/dbtmcp/mcp/server.py logs the complete raw arguments dictionary at INFO level on every tool invocation line 67 and again at ERROR level if the call...

6AI score0.00012EPSS
Exploits0References3Affected Software1
Positive Technologies
Positive Technologies
added 2026/05/14 12:0 a.m.24 views

PT-2026-41123

Name of the Vulnerable Software and Affected Versions python-utcp versions prior to 1.1.3 Description The substitute utcp args method in cli communication protocol.py inserts user-controlled tool args values directly into shell command strings without sanitization or escaping. These commands are...

10CVSS6.4AI score0.00272EPSS
Exploits0References13
OSV
OSV
added 2026/05/08 7:7 p.m.4 views

CVE-2026-42282 n8n-MCP: Sensitive MCP tool-call arguments logged on authenticated requests in HTTP mode

n8n-MCP is an MCP server that provides AI assistants access to n8n node documentation, properties, and operations. Prior to version 2.47.13, when n8n-mcp runs in HTTP transport mode, authenticated MCP tools/call requests had their full arguments and JSON-RPC params written to server logs by the...

4.3CVSS6AI score0.0025EPSS
Exploits0References5
RedhatCVE
RedhatCVE
added 2026/03/26 3:7 p.m.7 views

CVE-2026-31995

OpenClaw versions 2026.1.21 prior to 2026.2.19 contain a command injection vulnerability in the Lobster extension's Windows shell fallback mechanism that allows attackers to inject arbitrary commands through tool-provided arguments. When spawn failures trigger shell fallback with shell: true,...

7CVSS6AI score0.00525EPSS
Exploits0References1
OSV
OSV
added 2026/03/19 3:30 a.m.4 views

GHSA-8PX5-2GFR-7PH6 Duplicate Advisory: OpenClaw has Windows Lobster shell fallback command injection in constrained fallback path

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-fg3m-vhrr-8gj6. This link is maintained to preserve external references. Original Description OpenClaw versions 2026.1.21 prior to 2026.2.19 contain a command injection vulnerability in the Lobster extension's...

5.8CVSS6AI score0.00525EPSS
Exploits0References4
EUVD
EUVD
added 2026/03/19 3:30 a.m.6 views

EUVD-2026-13029

OpenClaw versions 2026.1.21 prior to 2026.2.19 contain a command injection vulnerability in the Lobster extension's Windows shell fallback mechanism that allows attackers to inject arbitrary commands through tool-provided arguments. When spawn failures trigger shell fallback with shell: true,...

7CVSS6AI score0.00525EPSS
Exploits0References4
NVD
NVD
added 2026/03/19 2:16 a.m.7 views

CVE-2026-31995

OpenClaw versions 2026.1.21 prior to 2026.2.19 contain a command injection vulnerability in the Lobster extension's Windows shell fallback mechanism that allows attackers to inject arbitrary commands through tool-provided arguments. When spawn failures trigger shell fallback with shell: true,...

7CVSS0.00525EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 2026/03/19 1:0 a.m.4 views

CVE-2026-31995 OpenClaw 2026.1.21 < 2026.2.19 - Command Injection via Windows Shell Fallback in Lobster Extension

OpenClaw versions 2026.1.21 prior to 2026.2.19 contain a command injection vulnerability in the Lobster extension's Windows shell fallback mechanism that allows attackers to inject arbitrary commands through tool-provided arguments. When spawn failures trigger shell fallback with shell: true,...

5.8CVSS6AI score0.00525EPSS
Exploits0References3
OSV
OSV
added 2026/03/19 1:0 a.m.3 views

CVE-2026-31995 OpenClaw 2026.1.21 < 2026.2.19 - Command Injection via Windows Shell Fallback in Lobster Extension

OpenClaw versions 2026.1.21 prior to 2026.2.19 contain a command injection vulnerability in the Lobster extension's Windows shell fallback mechanism that allows attackers to inject arbitrary commands through tool-provided arguments. When spawn failures trigger shell fallback with shell: true,...

5.8CVSS6.3AI score0.00525EPSS
Exploits0References5
Rows per page
Query Builder