Skip to main content

mcp-pinot CVE-2026-49257

| EUVD-2026-37951 CRITICAL
Missing Authentication for Critical Function (CWE-306)
2026-06-18 GitHub_M
Python Authentication Bypass Apache Mcp Pinot
10.0
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
10.0 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
vuln.today AI
10.0 CRITICAL

Default 0.0.0.0 bind with no auth means network-reachable, low-complexity, unauthenticated, no UI; tools mutate a separate Pinot cluster (scope change) with full read/write/admin impact.

3.1 AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Patch available
Jun 18, 2026 - 23:16 EUVD
Source Code Evidence Fetched
Jun 18, 2026 - 21:51 vuln.today
Analysis Generated
Jun 18, 2026 - 21:51 vuln.today
CVE Published
Jun 18, 2026 - 21:01 cve.org
CRITICAL 10.0

DescriptionCVE.org

mcp-pinot is a Python-based Model Context Protocol (MCP) server for interacting with Apache Pinot. In versions 3.0.1 and below, mcp-pinot defaults to running an HTTP MCP server bound to 0.0.0.0:8080 with no authentication enabled. All MCP tools, including SQL query execution, schema creation, and table-config mutation, are reachable by any network-adjacent caller. The server proxies these calls using server-side Pinot credentials, producing a confused-deputy condition that yields full read/write access to the configured Pinot cluster. This issue has been fixed in version 3.1.0

AnalysisAI

Authentication bypass in StarTree mcp-pinot versions 3.0.1 and earlier exposes the Model Context Protocol HTTP server on 0.0.0.0:8080 by default with no authentication, allowing any network-adjacent attacker to invoke every MCP tool - including SQL execution, schema creation, and table-config mutation - against the backing Apache Pinot cluster using the server's own credentials. The maximum CVSS 10.0 score reflects a scope-changing confused-deputy condition. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Discover exposed mcp-pinot port 8080
Delivery
Send unauthenticated POST to /api/tools/call
Exploit
Invoke schema/table-config or read-query tool
Execution
mcp-pinot proxies with server credentials
Persist
Read or mutate Pinot cluster data
Impact
Persist via altered table config
Sign in to reveal

Vulnerability AssessmentAI

Exploitation The mcp-pinot HTTP transport must be enabled (the vulnerable default MCP_TRANSPORT=both or http) and MCP_HOST must remain at the default 0.0.0.0 (or any non-loopback address) so the listener is reachable from outside the host. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment All risk signals align toward maximum priority for any operator running mcp-pinot ≤3.0.1 with the HTTP transport reachable beyond localhost. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker on the same network segment, VPC, or Kubernetes cluster as a vulnerable mcp-pinot deployment scans for TCP/8080, then sends an unauthenticated POST to /api/tools/call with a JSON body invoking the desired tool - for example {"name":"read-query","arguments":{"query":"SELECT ..."}} to exfiltrate data, or schema/table-config mutation tools to drop or alter Pinot tables. Because the server proxies the request with its own Pinot credentials, the attacker inherits full read/write authority against the cluster without ever touching Pinot directly. …
Remediation Vendor-released patch: upgrade to mcp-pinot 3.1.0 or later, which changes the default MCP_HOST to 127.0.0.1, refuses non-loopback HTTP binds unless OAuth is enabled, and adds sqlglot-based read-query validation that rejects non-SELECT, stacked, and DDL/admin SQL before forwarding to Pinot (see PR https://github.com/startreedata/mcp-pinot/pull/95 and commit https://github.com/startreedata/mcp-pinot/commit/1c7d3f9cd384854bf72c127d230bdb32299475ad). … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Inventory all systems running mcp-pinot versions 3.0.1 and earlier; implement firewall rules to block external access to port 8080. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-53753 CRITICAL
9.8 Jun 16

Unauthenticated remote code execution in Crawl4AI versions <= 0.8.6 allows attackers to escape the AST-based sandbox in

CVE-2026-38714 CRITICAL
9.8 Jun 18

InHand Networks IR912 V1.0.0.r20042 and IR915 V1.0.0.r20042 (including earlier versions) were discovered to contain a co
CVE-2026-38716 CRITICAL
9.8 Jun 18

InHand Networks IR912 V1.0.0.r20042 and IR915 V1.0.0.r20042 (including earlier versions) were discovered to contain a co
CVE-2026-48519 CRITICAL
9.6 Jun 16

Remote code execution in Langflow versions through 1.9.1 allows unauthenticated attackers to execute arbitrary Python co
CVE-2026-55518 CRITICAL
9.6 Jun 17

Authorization bypass in Avo (Ruby on Rails admin framework) versions <= 3.32.0 and 4.0.0.beta.1 through 4.0.0.beta.50 al

Share

CVE-2026-49257 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy