CVE-2026-44970

Source
https://cve.org/CVERecord?id=CVE-2026-44970
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-44970.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-44970
Aliases
Published
2026-07-16T17:49:19.310Z
Modified
2026-07-17T03:46:35.677389052Z
Severity
  • 3.1 (Low) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
Summary
dbt-mcp: All MCP Tool Arguments Including Raw SQL and --vars Credentials Transmitted to dbt Labs Telemetry by Default Without Redaction
Details

dbt-mcp is a Model Context Protocol server for interacting with dbt. Prior to 1.17.1, DefaultUsageTracker.emittoolcalledevent() in src/dbtmcp/tracking/tracking.py serialized every MCP tool call's complete arguments dictionary and sent it through dbtlabsvortex.producer.logproto without redaction, including sqlquery from show, vars from run, build, and test, and nodeselection from compile, while usagetrackingenabled in settings.py enabled telemetry by default unless DBTSENDANONYMOUSUSAGESTATS=false or DONOTTRACK=1 was set. This issue is fixed in version 1.17.1.

Database specific
{
    "cwe_ids": [
        "CWE-201"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/44xxx/CVE-2026-44970.json",
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/dbt-labs/dbt-mcp

Affected ranges

Type
GIT
Repo
https://github.com/dbt-labs/dbt-mcp
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "1.17.1"
        }
    ],
    "source": "AFFECTED_FIELD"
}

Affected versions

v0.*
v0.10.0
v0.10.1
v0.10.2
v0.10.3
v0.2.0
v0.2.1
v0.2.10
v0.2.11
v0.2.12
v0.2.13
v0.2.14
v0.2.15
v0.2.16
v0.2.17
v0.2.18
v0.2.19
v0.2.2
v0.2.20
v0.2.3
v0.2.4
v0.2.5
v0.2.6
v0.2.7
v0.2.8
v0.2.9
v0.3.0
v0.4.0
v0.4.1
v0.4.2
v0.5.0
v0.6.0
v0.6.1
v0.6.2
v0.7.0
v0.8.0
v0.8.1
v0.8.2
v0.8.3
v0.8.4
v0.9.0
v0.9.1
v1.*
v1.0.0
v1.1.0
v1.10.0
v1.11.0
v1.12.0
v1.13.0
v1.14.0
v1.15.0
v1.15.1
v1.16.0
v1.17.0
v1.2.0
v1.3.0
v1.4.0
v1.5.0
v1.5.1
v1.5.2
v1.6.0
v1.6.1
v1.6.2
v1.7.0
v1.8.0
v1.8.1
v1.9.0
v1.9.1
v1.9.2
v1.9.3

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-44970.json"