CVE-2026-44969 in dbt-mcp
Summary
by MITRE • 07/16/2026
dbt-mcp is a Model Context Protocol server for interacting with dbt. Prior to 1.17.1, DbtMCP.call_tool() in src/dbt_mcp/mcp/server.py logged the raw arguments dictionary at INFO level before each tool call and at ERROR level on exceptions, and configure_file_logging() wrote those records to dbt-mcp.log when DBT_MCP_SERVER_FILE_LOGGING=true, preserving sensitive sql_query, vars, and node_selection values in plaintext without automatic rotation or deletion. This issue is fixed in version 1.17.1.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 07/16/2026
The vulnerability in dbt-mcp affects the Model Context Protocol server implementation used for dbt interactions, specifically targeting information disclosure through improper logging of sensitive data. The flaw exists in the DbtMCP.call_tool() method within src/dbt_mcp/mcp/server.py where raw argument dictionaries containing sensitive information are logged at both INFO and ERROR levels. This represents a critical security oversight as the logging mechanism does not sanitize or redact sensitive parameters such as sql_query, vars, and node_selection values that are commonly used in dbt operations.
The technical implementation of this vulnerability stems from the server's design pattern where all tool call arguments are serialized and written to log files without any form of data sanitization or access control. When DBT_MCP_SERVER_FILE_LOGGING=true is configured, these plaintext logs become persistent storage locations containing potentially sensitive database query structures, variable substitutions, and selection criteria that could reveal system architecture details, data access patterns, or business logic implementations. The logging occurs both during normal operations and error conditions, amplifying the exposure window and increasing the likelihood of sensitive information being captured in log files.
Operationally, this vulnerability creates significant risk for organizations using dbt-mcp as it allows unauthorized parties with access to log files to extract sensitive data directly from the application's operational records. The plaintext storage of sql_query parameters means that database queries containing user data, business logic, or system-specific information could be recovered from log files, potentially exposing confidential information to attackers who gain read access to the server's file system. Additionally, the lack of automatic log rotation or deletion mechanisms ensures that this sensitive information remains accessible indefinitely, creating long-term exposure windows.
The vulnerability aligns with CWE-312 (Sensitive Data Exposure) and CWE-532 (Information Exposure Through Log Files) which specifically address improper logging of sensitive information. From an ATT&CK perspective, this represents a technique for Information Discovery and Credential Access through log file enumeration and data extraction. The flaw also demonstrates poor application security practices related to the principle of least privilege in logging operations. Organizations should immediately implement mitigations including updating to version 1.17.1 which addresses the issue by properly sanitizing sensitive parameters before logging, implementing automatic log rotation policies, and ensuring that sensitive information is never stored in plaintext within operational logs. Additionally, system administrators should review existing log files for potential exposure of sensitive data and implement proper access controls on log directories to prevent unauthorized access to potentially compromised information.