Dbt Labs
Products
3- 4 CVEs
- 2 CVEs
- 1 CVE
Recent CVEs
7| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-39382 | Cri | 0.53 | — | 0.00 | Apr 7, 2026 | dbt enables data analysts and engineers to transform their data using the same practices that software engineers use to build applications. Inside the reusable workflow dbt-labs/actions/blob/main/.github/workflows/open-issue-in-repo.yml, the prep job uses… | ||
| CVE-2024-36105 | Med | 0.28 | 5.3 | 0.01 | May 27, 2024 | dbt enables data analysts and engineers to transform their data using the same practices that software engineers use to build applications. Prior to versions 1.6.15, 1.7.15, and 1.8.1, Binding to `INADDR_ANY (0.0.0.0)` or `IN6ADDR_ANY (::)` exposes an application on all network… | ||
| CVE-2026-44970 | low | 0.07 | — | 0.00 | May 14, 2026 | *Discovered through manual source code review. Verified by PoC execution against a local dbt-mcp v1.15.1 installation.* ### Summary `DefaultUsageTracker.emit_tool_called_event()` in `src/dbt_mcp/tracking/tracking.py` serializes the complete `arguments` dictionary of every MCP… | ||
| CVE-2026-44969 | low | 0.07 | — | 0.00 | May 14, 2026 | *Discovered through manual source code review. Verified by PoC execution against a local dbt-mcp v1.15.1 installation.* ### Summary `DbtMCP.call_tool()` in `src/dbt_mcp/mcp/server.py` logs the complete raw `arguments` dictionary at `INFO` level on every tool invocation (line… | ||
| CVE-2026-55837 | 0.00 | — | — | Jun 19, 2026 | ## Unauthenticated OAuth Context Endpoint Leaks dbt Platform Tokens ### Summary The local OAuth helper FastAPI server bundled with `dbt-mcp` exposes the `GET /dbt_platform_context` endpoint without any form of authentication or host-origin validation. After a user completes… | |||
| CVE-2026-44968 | 0.00 | — | 0.00 | May 14, 2026 | *Discovered through manual source code review. Verified by PoC execution against a local dbt-mcp v1.15.1 installation.** ## Summary `_run_dbt_command()` in `src/dbt_mcp/dbt_cli/tools.py` constructs the dbt subprocess argument list by appending user-supplied MCP tool parameters… | |||
| CVE-2024-40637 | 0.00 | — | 0.00 | Jul 16, 2024 | dbt enables data analysts and engineers to transform their data using the same practices that software engineers use to build applications. When a user installs a package in dbt, it has the ability to override macros, materializations, and other core components of dbt. This is… |
- risk 0.53cvss —epss 0.00
dbt enables data analysts and engineers to transform their data using the same practices that software engineers use to build applications. Inside the reusable workflow dbt-labs/actions/blob/main/.github/workflows/open-issue-in-repo.yml, the prep job uses…
- risk 0.28cvss 5.3epss 0.01
dbt enables data analysts and engineers to transform their data using the same practices that software engineers use to build applications. Prior to versions 1.6.15, 1.7.15, and 1.8.1, Binding to `INADDR_ANY (0.0.0.0)` or `IN6ADDR_ANY (::)` exposes an application on all network…
- risk 0.07cvss —epss 0.00
*Discovered through manual source code review. Verified by PoC execution against a local dbt-mcp v1.15.1 installation.* ### Summary `DefaultUsageTracker.emit_tool_called_event()` in `src/dbt_mcp/tracking/tracking.py` serializes the complete `arguments` dictionary of every MCP…
- risk 0.07cvss —epss 0.00
*Discovered through manual source code review. Verified by PoC execution against a local dbt-mcp v1.15.1 installation.* ### Summary `DbtMCP.call_tool()` in `src/dbt_mcp/mcp/server.py` logs the complete raw `arguments` dictionary at `INFO` level on every tool invocation (line…
- CVE-2026-55837Jun 19, 2026risk 0.00cvss —epss —
## Unauthenticated OAuth Context Endpoint Leaks dbt Platform Tokens ### Summary The local OAuth helper FastAPI server bundled with `dbt-mcp` exposes the `GET /dbt_platform_context` endpoint without any form of authentication or host-origin validation. After a user completes…
- CVE-2026-44968May 14, 2026risk 0.00cvss —epss 0.00
*Discovered through manual source code review. Verified by PoC execution against a local dbt-mcp v1.15.1 installation.** ## Summary `_run_dbt_command()` in `src/dbt_mcp/dbt_cli/tools.py` constructs the dbt subprocess argument list by appending user-supplied MCP tool parameters…
- CVE-2024-40637Jul 16, 2024risk 0.00cvss —epss 0.00
dbt enables data analysts and engineers to transform their data using the same practices that software engineers use to build applications. When a user installs a package in dbt, it has the ability to override macros, materializations, and other core components of dbt. This is…