VYPR

PyPI package

dbt-mcp

pkg:pypi/dbt-mcp

Vulnerabilities (3)

  • CVE-2026-44970lowMay 14, 2026
    affected < 1.17.1fixed 1.17.1

    *Discovered through manual source code review. Verified by PoC execution against a local dbt-mcp v1.15.1 installation.* ### Summary `DefaultUsageTracker.emit_tool_called_event()` in `src/dbt_mcp/tracking/tracking.py` serializes the complete `arguments` dictionary of every MCP t

  • CVE-2026-44969lowMay 14, 2026
    affected < 1.17.1fixed 1.17.1

    *Discovered through manual source code review. Verified by PoC execution against a local dbt-mcp v1.15.1 installation.* ### Summary `DbtMCP.call_tool()` in `src/dbt_mcp/mcp/server.py` logs the complete raw `arguments` dictionary at `INFO` level on every tool invocation (line 67

  • CVE-2026-44968May 14, 2026
    affected < 1.17.1fixed 1.17.1

    *Discovered through manual source code review. Verified by PoC execution against a local dbt-mcp v1.15.1 installation.** ## Summary `_run_dbt_command()` in `src/dbt_mcp/dbt_cli/tools.py` constructs the dbt subprocess argument list by appending user-supplied MCP tool parameters