Skip to main content

dbt-mcp CVE-2026-44969

LOW
Insertion of Sensitive Information into Log File (CWE-532)
2026-05-14 https://github.com/dbt-labs/dbt-mcp GHSA-7xgw-6qf3-7w59
2.5
CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY
2.5 LOW
AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Local
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

3
Source Code Evidence Fetched
May 14, 2026 - 19:00 vuln.today
Analysis Generated
May 14, 2026 - 19:00 vuln.today
CVE Published
May 14, 2026 - 18:24 nvd
LOW 2.5

DescriptionGitHub Advisory

*Discovered through manual source code review. Verified by PoC execution against a local dbt-mcp v1.15.1 installation.*

Summary

DbtMCP.call_tool() in src/dbt_mcp/mcp/server.py logs the complete raw arguments dictionary at INFO level on every tool invocation (line 67) and again at ERROR level if the call raises an exception (lines 77-79). No field is redacted before logging. When the documented DBT_MCP_SERVER_FILE_LOGGING=true feature is enabled, these log records are written to dbt-mcp.log in the project root directory as plaintext. Sensitive data - raw SQL queries, --vars payloads carrying credentials, node selectors - persists on disk indefinitely with no automatic rotation or deletion.

Details

Vulnerable log statements (server.py):

python
# Line 67 - emitted before every tool execution
logger.info(f"Calling tool: {name} with arguments: {arguments}")
# Lines 77-79 - emitted if the tool raises an exception (double-logging on failure)
logger.error(
    f"Error calling tool: {name} with arguments: {arguments} "
    f"in {end_time - start_time}ms: {e}"
)

arguments is the raw Python dict received from the MCP client. It is string-interpolated directly into the log message. On a tool call that raises an exception, the same dict is logged twice - once at INFO and once at ERROR.

File logging is activated by DBT_MCP_SERVER_FILE_LOGGING=true (a documented feature in the project README). The log file location is resolved by configure_file_logging(), which walks up the directory tree from __file__ looking for .git or pyproject.toml, falling back to $HOME. Arguments are also emitted to stderr by the default stream handler regardless of file logging state.

PoC

MCP client script - triggers real tool calls and verifies log file contents:

python
#!/usr/bin/env python3
# poc4_tool_args_logged.py
# Vulnerable code: src/dbt_mcp/mcp/server.py line 67, 77-79
# configure_file_logging(): src/dbt_mcp/telemetry/logging.py

import logging
from pathlib import Path

LOG_FILENAME = "dbt-mcp.log"

def configure_file_logging(log_level: int = logging.INFO) -> Path:
    """Reproduction of configure_file_logging() from telemetry/logging.py."""
    module_path = Path(__file__).resolve().parent
    home = Path.home().resolve()
    for candidate in [module_path, *module_path.parents]:
        if (candidate / ".git").exists() or (candidate / "pyproject.toml").exists() or candidate == home:
            repo_root = candidate
            break
    log_path = repo_root / LOG_FILENAME
    root_logger = logging.getLogger()
    root_logger.setLevel(log_level)
    file_handler = logging.FileHandler(log_path, encoding="utf-8")
    file_handler.setLevel(log_level)
    file_handler.setFormatter(
        logging.Formatter("%(asctime)s %(levelname)s [%(name)s] %(message)s")
    )
    root_logger.addHandler(file_handler)
    return log_path

log_path = configure_file_logging()
server_logger = logging.getLogger("dbt_mcp.mcp.server")
# Exact log statements from server.py line 67 and line 77-79
name = "show"
arguments = {"sql_query": "SELECT ssn, credit_card_number, salary FROM customers WHERE id = 42", "limit": 5}
server_logger.info(f"Calling tool: {name} with arguments: {arguments}")

name2 = "run"
arguments2 = {"node_selection": "sensitive_model", "vars": '{"db_password": "hunter2", "api_key": "sk-prod-abc123xyz"}', "is_full_refresh": False}
server_logger.info(f"Calling tool: {name2} with arguments: {arguments2}")
# Verify file contents
lines = log_path.read_text(encoding="utf-8").splitlines()
poc_lines = [l for l in lines if "dbt_mcp.mcp.server" in l]
print(f"[log file: {log_path}]")
for line in poc_lines:
    print(f"  {line}")

keywords = ["ssn", "credit_card_number", "salary", "db_password", "api_key"]
found = [kw for kw in keywords if any(kw in l for l in poc_lines)]
if found:
    print(f"\n[CONFIRMED] Sensitive keywords in plaintext log: {found}")
    print(f"[CONFIRMED] No redaction applied. File persists at {log_path}")

Expected log file entries:

`
2026-04-27 ... INFO [dbt_mcp.mcp.server] Calling tool: show with arguments:
  {'sql_query': 'SELECT ssn, credit_card_number, salary FROM customers', 'limit': 5}

2026-04-27 ... INFO [dbt_mcp.mcp.server] Calling tool: run with arguments:
  {'node_selection': 'sensitive_model',
   'vars': '{"db_password":"hunter2","api_key":"sk-prod-abc123"}',
   'is_full_refresh': False}

[CONFIRMED] Sensitive keywords in plaintext log: ['ssn', 'credit_card_number', 'salary', 'db_password', 'api_key']
[CONFIRMED] No redaction applied.

<img width="3798" height="462" alt="image" src="https://github.com/user-attachments/assets/b4c23a93-b3d3-4b7f-ba46-3d4a324d609f" />

Impact

Directly proven by this PoC:

  • When DBT_MCP_SERVER_FILE_LOGGING=true, the full arguments dict of every tool call - including sql_query, vars, and node_selection - is written to dbt-mcp.log in plaintext on every invocation.
  • A tool call that raises an exception produces two log entries with the same sensitive content (INFO + ERROR double-logging).
  • The log file has no automatic rotation, expiry, or access restriction beyond filesystem permissions.

Combined with Advisory 3 (telemetry), a single show tool call containing PII produces one telemetry transmission to dbt Labs and one (or two, on failure) persistent log entries on disk.

Remediation

redact known-sensitive argument values before logging:

python
_LOG_REDACT = frozenset({"sql_query", "vars"})

def _safe_args(arguments: dict) -> dict:
    return {k: "***redacted***" if k in _LOG_REDACT else v
            for k, v in arguments.items()}
# server.py line 67:
logger.info(f"Calling tool: {name} with arguments: {_safe_args(arguments)}")
# server.py lines 77-79:
logger.error(
    f"Error calling tool: {name} with arguments: {_safe_args(arguments)} "
    f"in {end_time - start_time}ms: {e}"
)

log argument keys only:

python
logger.info(f"Calling tool: {name} with argument keys: {list(arguments.keys())}")

File logging: Consider reducing the default log level for the file handler to WARNING so that normal-operation INFO records (which include arguments) are not persisted. Sensitive content would only appear in file logs on error.

AnalysisAI

dbt MCP Server logs complete tool arguments including SQL queries and database credentials in plaintext to disk when file logging is enabled. Versions up to 1.17.0 write unredacted arguments from every tool invocation to dbt-mcp.log, with sensitive data such as raw SQL queries, credential-bearing vars payloads, and node selectors persisting indefinitely without automatic rotation. A local attacker with read access to the log file can extract credentials and SQL logic. Publicly available proof-of-concept demonstrates credential and PII extraction from log files.

Technical ContextAI

dbt-mcp is a Python Model Context Protocol (MCP) server that exposes dbt operations as tools to MCP clients. The vulnerability exists in src/dbt_mcp/mcp/server.py at lines 67 and 77-79, where the call_tool() method logs the raw arguments dictionary using Python's standard logging module with string interpolation (f-string). When DBT_MCP_SERVER_FILE_LOGGING=true is set (a documented configuration feature), the logging module's FileHandler writes INFO and ERROR level records to dbt-mcp.log in plaintext. The root cause is improper data sanitization before logging (CWE-532: Insertion of Sensitive Information into Log File). The log file path is resolved by configure_file_logging() which searches for .git or pyproject.toml in parent directories, defaulting to the home directory. Arguments containing sql_query and vars fields are never filtered or redacted, exposing database credentials, API keys, and SQL logic to any process with filesystem read permissions.

RemediationAI

Vendor-released patch: dbt-mcp v1.17.1 (released 2026-05-05) fixes the vulnerability by redacting sensitive argument fields before logging. Upgrade immediately to v1.17.1 or later using pip install --upgrade dbt-mcp. For users unable to upgrade immediately, disable file logging by removing or setting DBT_MCP_SERVER_FILE_LOGGING=false in your environment configuration; this prevents arguments from being written to disk but does not suppress stderr logging of arguments. Restrict filesystem read access to the project root directory and $HOME (where dbt-mcp.log is written) to prevent unauthorized access to existing log files. Rotate or delete existing dbt-mcp.log files that may contain credentials. Audit log file contents for exposed credentials and API keys using grep patterns like 'api_key', 'password', 'secret', 'db_password'; if found, rotate affected credentials immediately. Consider reducing the log level for file handlers to WARNING only, so INFO-level argument logging is not persisted; note that ERROR-level argument logging during tool failures will still occur and must be monitored.

More in Python

View all
CVE-2025-24016 CRITICAL POC
9.9 Feb 10

Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t

CVE-2025-27520 CRITICAL POC
9.8 Apr 04

BentoML version 1.4.2 and earlier contains an unauthenticated remote code execution vulnerability through insecure deser

CVE-2025-2945 CRITICAL POC
9.9 Apr 03

pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoi

CVE-2013-5093 MEDIUM POC
6.8 Sep 27

The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python

CVE-2025-32375 CRITICAL POC
9.8 Apr 09

BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Rated critica

CVE-2014-0224 HIGH POC
7.4 Jun 05

OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph

CVE-2024-21644 HIGH POC
7.5 Jan 08

pyLoad download manager version prior to 0.5.0b3.dev77 exposes the Flask SECRET_KEY through an unauthenticated endpoint.

CVE-2017-9462 HIGH POC
8.8 Jun 06

In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and conse

CVE-2026-39987 CRITICAL POC
9.3 Apr 08

Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/

CVE-2024-21645 MEDIUM POC
5.3 Jan 08

pyLoad is the free and open-source Download Manager written in pure Python. Rated medium severity (CVSS 5.3), this vulne

CVE-2026-33017 CRITICAL POC
9.3 Mar 17

Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-3301

CVE-2026-55255 HIGH POC
8.4 Jun 19

Cross-user flow execution in Langflow (< 1.9.1) lets any authenticated API-key holder run another user's flow by passing

Share

CVE-2026-44969 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy