CVE-2026-44970 in dbt-mcp
Summary
by MITRE • 07/16/2026
dbt-mcp is a Model Context Protocol server for interacting with dbt. Prior to 1.17.1, DefaultUsageTracker.emit_tool_called_event() in src/dbt_mcp/tracking/tracking.py serialized every MCP tool call's complete arguments dictionary and sent it through dbtlabs_vortex.producer.log_proto without redaction, including sql_query from show, vars from run, build, and test, and node_selection from compile, while usage_tracking_enabled in settings.py enabled telemetry by default unless DBT_SEND_ANONYMOUS_USAGE_STATS=false or DO_NOT_TRACK=1 was set. This issue is fixed in version 1.17.1.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 07/16/2026
The dbt-mcp vulnerability involves a critical exposure of sensitive data through improper telemetry implementation in the Model Context Protocol server. This flaw exists in versions prior to 1.17.1 where the DefaultUsageTracker.emit_tool_called_event() function serializes complete argument dictionaries from every MCP tool call without any redaction process. The affected components include sql_query parameters from show commands, vars data from run operations, build processes, and test executions, along with node_selection parameters from compile functions. These serialized arguments are then transmitted through the dbtlabs_vortex.producer.log_proto channel, creating a significant data leak risk.
The technical implementation flaw stems from inadequate input sanitization and data handling practices within the tracking mechanism. The system automatically enables telemetry by default through the usage_tracking_enabled setting in settings.py, which operates under the assumption that users have not explicitly disabled anonymous usage statistics. This automatic activation occurs even when DBT_SEND_ANONYMOUS_USAGE_STATS is set to false or when DO_NOT_TRACK is configured, creating a scenario where sensitive operational data flows out of the system without user consent or awareness. The vulnerability represents a clear violation of data minimization principles and privacy-by-design methodologies.
The operational impact of this vulnerability extends beyond simple data exposure to encompass potential security breaches and compliance violations. Organizations using dbt-mcp versions before 1.17.1 face risks of unauthorized access to database queries, configuration variables, and system operation details that could be exploited by malicious actors. The transmitted data includes potentially sensitive information such as database schema details through sql_query parameters, environment-specific variables from vars operations, and system navigation paths via node_selection data. This exposure creates opportunities for attackers to perform reconnaissance, identify system weaknesses, and potentially escalate privileges within the data infrastructure.
Security practitioners should note this vulnerability aligns with CWE-209 (Information Exposure Through an Error Message) and CWE-312 (Sensitive Data Exposure) categories, while also mapping to ATT&CK technique T1566 (Phishing) and T1071.1 (Application Layer Protocol: Web Protocols) through potential data exfiltration pathways. The recommended mitigation involves upgrading to dbt-mcp version 1.17.1 or later where the redaction mechanism has been properly implemented. Organizations should also review their telemetry configurations, disable anonymous usage statistics when appropriate, and implement network monitoring to detect unauthorized data transmission patterns. Additionally, regular security assessments of third-party tools and their telemetry implementations are essential to prevent similar vulnerabilities in the broader software ecosystem.
This vulnerability demonstrates the critical importance of proper data handling practices in development tools and highlights how default configurations can create security risks. The flaw serves as a reminder that even seemingly benign telemetry features can become significant attack vectors when they fail to implement adequate data sanitization and user consent mechanisms. Organizations must prioritize privacy protection in their tool selection processes and ensure that all third-party components follow established security frameworks and best practices for handling sensitive information.