CyberSec.Space Logo
返回 CVE 浏览器

CVE-2026-49257

CRITICAL
10.0
CVSS Severity Score
EPSS Score0.1880%
EPSS Percentile18.68th
Published2026年6月18日
Last Modified2026年6月18日

Vulnerability Description

mcp-pinot is a Python-based Model Context Protocol (MCP) server for interacting with Apache Pinot. In versions 3.0.1 and below, mcp-pinot defaults to running an HTTP MCP server bound to 0.0.0.0:8080 with no authentication enabled. All MCP tools, including SQL query execution, schema creation, and table-config mutation, are reachable by any network-adjacent caller. The server proxies these calls using server-side Pinot credentials, producing a confused-deputy condition that yields full read/write access to the configured Pinot cluster. This issue has been fixed in version 3.1.0

Affected Platforms (CPE)

No CPE configurations currently published for this record.

References & Advisories

🔗 https://github.com/startreedata/mcp-pinot/commit/1c7d3f9cd384854bf72c127d230bdb32299475ad
🔗 https://github.com/startreedata/mcp-pinot/issues/90
🔗 https://github.com/startreedata/mcp-pinot/pull/95
🔗 https://github.com/startreedata/mcp-pinot/security/advisories/GHSA-73cv-556c-w3g6

相关漏洞威胁

CVE-2026-1061110.0

An authentication bypass vulnerability exists in MISP when LDAP mixed authentication is enabled with OTP enforcement. In deploymen...

CVE-2026-4830310.0

Adobe Campaign Classic (ACC) versions 7.4.3 build 9394 and earlier are affected by an Incorrect Authorization vulnerability that c...

CVE-2026-5024210.0

In JetBrains Hub before 2026.1.13757, 2025.3.148033, 2025.2.148048, 2025.1.148120, 2024.3.148430, 2024.2.148429 authentication byp...

CVE-2026-4855810.0

SimpleHelp versions 5.5.15 and prior and 6.0 pre-release versions contain an authentication bypass vulnerability in the OIDC authe...