CVE-2026-44968 in dbt-mcp
Summary
by MITRE • 07/16/2026
dbt-mcp is a Model Context Protocol server for interacting with dbt. Prior to 1.17.1, _run_dbt_command() in src/dbt_mcp/dbt_cli/tools.py appended unsanitized node_selection and resource_type values to the dbt subprocess argument list, allowing an MCP client to inject dbt global flags such as --profiles-dir, --project-dir, and --target into subprocess.Popen even though shell=False prevents shell metacharacter injection. This issue is fixed in version 1.17.1.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 07/16/2026
The dbt-mcp vulnerability represents a critical command injection flaw that undermines the security of the Model Context Protocol server used for dbt interactions. This vulnerability exists in versions prior to 1.17.1 where the _run_dbt_command() function in src/dbt_mcp/dbt_cli/tools.py fails to properly sanitize user-provided input parameters. The flaw specifically affects the node_selection and resource_type values that are appended directly to the dbt subprocess argument list without adequate validation or sanitization measures.
The technical implementation of this vulnerability stems from improper input handling within the dbt-mcp server's command execution mechanism. When an MCP client interacts with the server, it can provide unsanitized node_selection and resource_type parameters that get concatenated into the dbt subprocess arguments. While the code correctly sets shell=False to prevent shell metacharacter injection, this protection is insufficient against argument injection attacks. Attackers can exploit this by crafting malicious input that includes dbt global flags such as --profiles-dir, --project-dir, and --target, which are then passed directly to the subprocess.Popen call.
This vulnerability operates under the principles of CWE-77 and CWE-88, representing command injection through improper argument handling. The operational impact is significant as it allows remote attackers to potentially execute arbitrary commands or manipulate the dbt execution environment. An attacker could leverage this to access sensitive configuration files, modify project directories, or redirect database connections through the injected global flags. The vulnerability essentially compromises the integrity of the dbt execution context and can lead to unauthorized data access or manipulation within the target environment.
The attack surface is particularly concerning as it affects any system running dbt-mcp versions before 1.17.1, making it accessible to anyone who can establish an MCP connection to the server. The remediation implemented in version 1.17.1 addresses this by introducing proper input sanitization and validation of node_selection and resource_type parameters before they are appended to subprocess arguments. This fix aligns with ATT&CK technique T1059.001 for command and script injection, ensuring that user-provided inputs cannot be misused to manipulate the underlying dbt execution process.
Organizations utilizing dbt-mcp should prioritize immediate upgrading to version 1.17.1 or later to mitigate this risk. Additionally, implementing proper input validation at multiple layers of the application architecture provides defense-in-depth against similar vulnerabilities. The fix demonstrates the importance of validating all external inputs, even when using security measures like shell=False, as these protections can be bypassed through argument injection techniques that do not rely on shell interpretation.