How is CVE-2026-49257 exploited?

Network reachability (required): The server binds to 0.0.0.0:8080 by default, so an attacker must be able to reach that port over the network; any host with TCP access to the exposed interface can exploit this. Authentication (not-required): OAuth is disabled by default (oauth_enabled=False), so no credentials, tokens, or account of any privilege level are required to invoke MCP tools. Victim interaction (not-required): The attacker sends HTTP requests directly to the listening server; no user action or social engineering is needed. Attack complexity (info): The exploit is reliable and condition-free: the default configuration exposes the service without any race conditions, memory-layout dependencies, or environmental prerequisites.

What is the impact of CVE-2026-49257?

Reads any data stored in the connected Apache Pinot cluster, including all tables, schemas, and query results, by issuing arbitrary SQL SELECT statements through the unauthenticated tool endpoint. Modifies persisted Pinot table configurations and schemas, allowing an attacker to alter data structures, drop tables, or corrupt ingestion pipelines. Executes arbitrary SQL write operations against Pinot using the server's own privileged credentials, inserting or deleting records across all accessible tables. Disrupts cluster availability by submitting resource-exhausting queries or destructive administrative commands that the server proxy forwards with full server-side authority.

Back to search

CRITICALCVE-2026-49257Published 2026-06-18Modified 2026-06-18CNA GitHub_M

CVE-2026-49257: mcp-pinot: Unauthenticated tool invocation via default oauth_enabled=False + host 0.0.0.0 bind

mcp-pinot is a Python-based Model Context Protocol (MCP) server for interacting with Apache Pinot. In versions 3.0.1 and below, mcp-pinot defaults to running an HTTP MCP server bound to 0.0.0.0:8080 with no authentication enabled. All MCP tools, including SQL query execution, schema creation, and table-config mutation, are reachable by any network-adjacent caller. The server proxies these calls using server-side Pinot credentials, producing a confused-deputy condition that yields full read/write access to the configured Pinot cluster. This issue has been fixed in version 3.1.0

CVSS v3.1: 10.0
Severity: CRITICAL
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

An authentication bypass vulnerability in mcp-pinot (versions 3.0.1 and below) allows any caller reachable over the network to invoke all MCP tool endpoints without credentials. The server binds by default to 0.0.0.0:8080 with OAuth disabled, and it proxies requests using its own server-side Pinot credentials, creating a confused-deputy condition. Successful exploitation gives an unauthenticated attacker full read and write access to the connected Apache Pinot cluster, including arbitrary SQL execution and schema or table-config mutation. A patched-image rebuild at version 3.1.0 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images, including custom-built images that bundle mcp-pinot. Any image containing a version of mcp-pinot below 3.1.0 is flagged automatically during both registry scans and CI pipeline checks.

Available

Triage

HarborGuard scores this finding at CVSS 10.0 (Critical) and surfaces it with that severity weighting inside each customer org. Per-environment compliance policy weighting is applied so the alert routes to the inbox or ticket queue configured by each team for Critical-severity findings.

Available

Patch

No upstream fix has been published as of this record's publication date, so HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available at version 3.1.0 the moment the upstream release is confirmed. For customers who opt into auto-remediation, a rebuilt image, regression-test run, and a PR opened against affected workloads will be triggered automatically once the fix version clears HarborGuard's validation pipeline.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The server binds to 0.0.0.0:8080 by default, so an attacker must be able to reach that port over the network; any host with TCP access to the exposed interface can exploit this.
AuthenticationNot required
OAuth is disabled by default (oauth_enabled=False), so no credentials, tokens, or account of any privilege level are required to invoke MCP tools.
Victim interactionNot required
The attacker sends HTTP requests directly to the listening server; no user action or social engineering is needed.
Attack complexityDetail
The exploit is reliable and condition-free: the default configuration exposes the service without any race conditions, memory-layout dependencies, or environmental prerequisites.

Blast Radius

Reads any data stored in the connected Apache Pinot cluster, including all tables, schemas, and query results, by issuing arbitrary SQL SELECT statements through the unauthenticated tool endpoint.
Modifies persisted Pinot table configurations and schemas, allowing an attacker to alter data structures, drop tables, or corrupt ingestion pipelines.
Executes arbitrary SQL write operations against Pinot using the server's own privileged credentials, inserting or deleting records across all accessible tables.
Disrupts cluster availability by submitting resource-exhausting queries or destructive administrative commands that the server proxy forwards with full server-side authority.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix version has been confirmed in this record, HarborGuard continuously re-checks the advisory on every ingest cycle and will make a patched-image rebuild available at version 3.1.0 the moment the release is validated. In the interim, compensating controls are recommended: apply a Kubernetes NetworkPolicy or equivalent network-layer rule to restrict inbound access to the mcp-pinot service port (8080) to only trusted internal callers; if your deployment supports environment-variable overrides, set oauth_enabled=True and bind the server to a loopback or internal interface rather than 0.0.0.0. For customers who opt into auto-remediation, HarborGuard will trigger a rebuilt image, a regression-test run, and a PR opened against affected workloads automatically once the fix clears validation. For environments where compliance policy does not permit auto-remediation, HarborGuard will surface the patched rebuild in the findings dashboard for manual promotion.

See how HarborGuard automates this

Affected packages

startreedata / mcp-pinot
< 3.1.0

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

References

Metrics

Get notified