VYPR

Dbt Mcp

by Dbt Labs

Source repositories

CVEs (4)

  • CVE-2026-44970lowMay 14, 2026
    risk 0.07cvss epss 0.00

    *Discovered through manual source code review. Verified by PoC execution against a local dbt-mcp v1.15.1 installation.* ### Summary `DefaultUsageTracker.emit_tool_called_event()` in `src/dbt_mcp/tracking/tracking.py` serializes the complete `arguments` dictionary of every MCP…

  • CVE-2026-44969lowMay 14, 2026
    risk 0.07cvss epss 0.00

    *Discovered through manual source code review. Verified by PoC execution against a local dbt-mcp v1.15.1 installation.* ### Summary `DbtMCP.call_tool()` in `src/dbt_mcp/mcp/server.py` logs the complete raw `arguments` dictionary at `INFO` level on every tool invocation (line…

  • CVE-2026-55837Jun 19, 2026
    risk 0.00cvss epss

    ## Unauthenticated OAuth Context Endpoint Leaks dbt Platform Tokens ### Summary The local OAuth helper FastAPI server bundled with `dbt-mcp` exposes the `GET /dbt_platform_context` endpoint without any form of authentication or host-origin validation. After a user completes…

  • CVE-2026-44968May 14, 2026
    risk 0.00cvss epss 0.00

    *Discovered through manual source code review. Verified by PoC execution against a local dbt-mcp v1.15.1 installation.** ## Summary `_run_dbt_command()` in `src/dbt_mcp/dbt_cli/tools.py` constructs the dbt subprocess argument list by appending user-supplied MCP tool parameters…