GHSA-vf6j-c56p-cq58

Source

https://github.com/advisories/GHSA-vf6j-c56p-cq58

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-vf6j-c56p-cq58/GHSA-vf6j-c56p-cq58.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-vf6j-c56p-cq58

Aliases

CVE-2026-25650

Published

2026-02-06T18:52:44Z

Modified

2026-02-06T22:16:07.245388Z

Severity

8.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N CVSS Calculator

Summary

MCP-Salesforce's arbitrary attribute access leads to disclosure of Salesforce auth token

Details

Impact

Disclosure of Salesforce OAuth bearer tokens used by the MCP.

Patches

fix applied in 0.1.10

Workarounds

Rotate any Salesforce tokens/credentials used by MCP-Salesforce.

Database specific

{
    "nvd_published_at": "2026-02-06T19:16:09Z",
    "cwe_ids": [
        "CWE-200"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2026-02-06T18:52:44Z"
}

References

Affected packages

PyPI / mcp-salesforce-connector

Package

Name: mcp-salesforce-connector; View open source insights on deps.dev
Purl: pkg:pypi/mcp-salesforce-connector

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.1.10

Affected versions

0.*

0.1.0

0.1.1

0.1.2

0.1.3

0.1.4

0.1.6

0.1.8

0.1.9

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-vf6j-c56p-cq58/GHSA-vf6j-c56p-cq58.json"