Insertion of Sensitive Information into Log File in dbt-mcp | CVE-2026-44969

Q: How to fix?

Upgrade dbt-mcp to version 1.17.1 or higher.

Introduced: 14 May 2026

NewCVE-2026-44969 (opens in a new tab) CWE-532 (opens in a new tab)

How to fix?

Upgrade dbt-mcp to version 1.17.1 or higher.

Overview

dbt-mcp is an A MCP (Model Context Protocol) server for interacting with dbt resources.

Affected versions of this package are vulnerable to Insertion of Sensitive Information into Log File in the call_tool process when file logging is enabled via the DBT_MCP_SERVER_FILE_LOGGING setting. An attacker can access sensitive information, such as SQL queries and credentials, by reviewing unredacted log files written to disk. This is only exploitable if file logging is explicitly enabled in the server configuration.

References

CVSS Base Scores

version 4.0

version 3.1

Attack Vector (AV)
Local
Attack Complexity (AC)
High
Attack Requirements (AT)
Present
Privileges Required (PR)
Low
User Interaction (UI)
None

Confidentiality (VC)
Low
Integrity (VI)
None
Availability (VA)
None

Confidentiality (SC)
None
Integrity (SI)
None
Availability (SA)
None

Insertion of Sensitive Information into Log File Affecting dbt-mcp package, versions [,1.17.1)

Severity

Do your applications use this vulnerable package?

Snyk Learn

Introduced: 14 May 2026

How to fix?

Overview

References

CVSS Base Scores

Snyk