Description
mcp-pinot is a Python-based Model Context Protocol (MCP) server for interacting with Apache Pinot. In versions 3.0.1 and below, mcp-pinot defaults to running an HTTP MCP server bound to 0.0.0.0:8080 with no authentication enabled. All MCP tools, including SQL query execution, schema creation, and table-config mutation, are reachable by any network-adjacent caller. The server proxies these calls using server-side Pinot credentials, producing a confused-deputy condition that yields full read/write access to the configured Pinot cluster. This issue has been fixed in version 3.1.0
Published: 2026-06-18
Score: 10 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

mcp-pinot is a Python‑based server that, in versions 3.0.1 and earlier, runs an HTTP MCP service bound to all interfaces with authentication turned off by default. This configuration exposes the full set of MCP tools—including query execution, schema manipulation, and table‑configuration changes—to any network‑adjacent client. Because the server forwards these calls using privileged server‑side Pinot credentials, an attacker can read and alter any data or configuration in the Pinot cluster, effectively achieving a confused‑deputy condition that amounts to full cluster compromise.

Affected Systems

The vulnerability affects the product mcp-pinot from startreedata. All releases version 3.0.1 or earlier are impacted; the issue is fixed starting with version 3.1.0.

Risk and Exploitability

The CVSS score is 10, indicating a critical impact. No EPSS data is available, and the vulnerability is not listed in CISA’s KEV catalog. The likely attack vector is remote network access to the exposed 8080 port on the MCP server; any client that can reach this endpoint can exploit the flaw without authentication.

Generated by OpenCVE AI on June 18, 2026 at 22:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the mcp-pinot installation to version 3.1.0 or later
  • Configure the server to enable OAuth (set oauth_enabled=true) and/or bind the service to a non‑public interface such as 127.0.0.1
  • If upgrading or reconfiguring is not immediately possible, restrict network access to port 8080 using firewall rules to allow only trusted hosts

Generated by OpenCVE AI on June 18, 2026 at 22:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-73cv-556c-w3g6 mcp-pinot: Unauthenticated tool invocation via default oauth_enabled=False + host 0.0.0.0 bind
History

Mon, 22 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Sun, 21 Jun 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Startreedata
Startreedata mcp-pinot
Vendors & Products Startreedata
Startreedata mcp-pinot

Thu, 18 Jun 2026 21:15:00 +0000

Type Values Removed Values Added
Description mcp-pinot is a Python-based Model Context Protocol (MCP) server for interacting with Apache Pinot. In versions 3.0.1 and below, mcp-pinot defaults to running an HTTP MCP server bound to 0.0.0.0:8080 with no authentication enabled. All MCP tools, including SQL query execution, schema creation, and table-config mutation, are reachable by any network-adjacent caller. The server proxies these calls using server-side Pinot credentials, producing a confused-deputy condition that yields full read/write access to the configured Pinot cluster. This issue has been fixed in version 3.1.0
Title mcp-pinot: Unauthenticated tool invocation via default oauth_enabled=False + host 0.0.0.0 bind
Weaknesses CWE-306
References
Metrics cvssV3_1

{'score': 10, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H'}


Subscriptions

Startreedata Mcp-pinot
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-22T18:08:18.034Z

Reserved: 2026-05-28T14:33:01.179Z

Link: CVE-2026-49257

cve-icon Vulnrichment

Updated: 2026-06-22T18:08:04.890Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-20T22:55:41Z

Weaknesses
  • CWE-306

    Missing Authentication for Critical Function