Description
mcp-pinot is a Python-based Model Context Protocol (MCP) server for interacting with Apache Pinot. In versions 3.0.1 and below, mcp-pinot defaults to running an HTTP MCP server bound to 0.0.0.0:8080 with no authentication enabled. All MCP tools, including SQL query execution, schema creation, and table-config mutation, are reachable by any network-adjacent caller. The server proxies these calls using server-side Pinot credentials, producing a confused-deputy condition that yields full read/write access to the configured Pinot cluster. This issue has been fixed in version 3.1.0
Published: 2026-06-18
Score: 10 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

mcp-pinot is a Python‑based server that, in versions 3.0.1 and earlier, runs an HTTP MCP service bound to all interfaces with authentication turned off by default. This configuration exposes the full set of MCP tools—including query execution, schema manipulation, and table‑configuration changes—to any network‑adjacent client. Because the server forwards these calls using privileged server‑side Pinot credentials, an attacker can read and alter any data or configuration in the Pinot cluster, effectively achieving a confused‑deputy condition that amounts to full cluster compromise.

Affected Systems

The vulnerability affects the product mcp-pinot from startreedata. All releases version 3.0.1 or earlier are impacted; the issue is fixed starting with version 3.1.0.

Risk and Exploitability

The CVSS score is 10, indicating a critical impact. No EPSS data is available, and the vulnerability is not listed in CISA’s KEV catalog. The likely attack vector is remote network access to the exposed 8080 port on the MCP server; any client that can reach this endpoint can exploit the flaw without authentication.

Generated by OpenCVE AI on June 18, 2026 at 22:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the mcp-pinot installation to version 3.1.0 or later
  • Configure the server to enable OAuth (set oauth_enabled=true) and/or bind the service to a non‑public interface such as 127.0.0.1
  • If upgrading or reconfiguring is not immediately possible, restrict network access to port 8080 using firewall rules to allow only trusted hosts

Generated by OpenCVE AI on June 18, 2026 at 22:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 18 Jun 2026 21:15:00 +0000

Type Values Removed Values Added
Description mcp-pinot is a Python-based Model Context Protocol (MCP) server for interacting with Apache Pinot. In versions 3.0.1 and below, mcp-pinot defaults to running an HTTP MCP server bound to 0.0.0.0:8080 with no authentication enabled. All MCP tools, including SQL query execution, schema creation, and table-config mutation, are reachable by any network-adjacent caller. The server proxies these calls using server-side Pinot credentials, producing a confused-deputy condition that yields full read/write access to the configured Pinot cluster. This issue has been fixed in version 3.1.0
Title mcp-pinot: Unauthenticated tool invocation via default oauth_enabled=False + host 0.0.0.0 bind
Weaknesses CWE-306
References
Metrics cvssV3_1

{'score': 10, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-18T21:01:10.984Z

Reserved: 2026-05-28T14:33:01.179Z

Link: CVE-2026-49257

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T22:30:16Z

Weaknesses
  • CWE-306

    Missing Authentication for Critical Function