Dbt Mcp
by Dbt Labs
Source repositories
CVEs (4)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-44970 | low | 0.07 | — | 0.00 | May 14, 2026 | *Discovered through manual source code review. Verified by PoC execution against a local dbt-mcp v1.15.1 installation.* ### Summary `DefaultUsageTracker.emit_tool_called_event()` in `src/dbt_mcp/tracking/tracking.py` serializes the complete `arguments` dictionary of every MCP… | ||
| CVE-2026-44969 | low | 0.07 | — | 0.00 | May 14, 2026 | *Discovered through manual source code review. Verified by PoC execution against a local dbt-mcp v1.15.1 installation.* ### Summary `DbtMCP.call_tool()` in `src/dbt_mcp/mcp/server.py` logs the complete raw `arguments` dictionary at `INFO` level on every tool invocation (line… | ||
| CVE-2026-55837 | 0.00 | — | — | Jun 19, 2026 | ## Unauthenticated OAuth Context Endpoint Leaks dbt Platform Tokens ### Summary The local OAuth helper FastAPI server bundled with `dbt-mcp` exposes the `GET /dbt_platform_context` endpoint without any form of authentication or host-origin validation. After a user completes… | |||
| CVE-2026-44968 | 0.00 | — | 0.00 | May 14, 2026 | *Discovered through manual source code review. Verified by PoC execution against a local dbt-mcp v1.15.1 installation.** ## Summary `_run_dbt_command()` in `src/dbt_mcp/dbt_cli/tools.py` constructs the dbt subprocess argument list by appending user-supplied MCP tool parameters… |
- risk 0.07cvss —epss 0.00
*Discovered through manual source code review. Verified by PoC execution against a local dbt-mcp v1.15.1 installation.* ### Summary `DefaultUsageTracker.emit_tool_called_event()` in `src/dbt_mcp/tracking/tracking.py` serializes the complete `arguments` dictionary of every MCP…
- risk 0.07cvss —epss 0.00
*Discovered through manual source code review. Verified by PoC execution against a local dbt-mcp v1.15.1 installation.* ### Summary `DbtMCP.call_tool()` in `src/dbt_mcp/mcp/server.py` logs the complete raw `arguments` dictionary at `INFO` level on every tool invocation (line…
- CVE-2026-55837Jun 19, 2026risk 0.00cvss —epss —
## Unauthenticated OAuth Context Endpoint Leaks dbt Platform Tokens ### Summary The local OAuth helper FastAPI server bundled with `dbt-mcp` exposes the `GET /dbt_platform_context` endpoint without any form of authentication or host-origin validation. After a user completes…
- CVE-2026-44968May 14, 2026risk 0.00cvss —epss 0.00
*Discovered through manual source code review. Verified by PoC execution against a local dbt-mcp v1.15.1 installation.** ## Summary `_run_dbt_command()` in `src/dbt_mcp/dbt_cli/tools.py` constructs the dbt subprocess argument list by appending user-supplied MCP tool parameters…