Insertion of Sensitive Information Into Sent Data Affecting dbt-mcp package, versions [,1.17.1)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-PYTHON-DBTMCP-16734294
- published18 May 2026
- disclosed14 May 2026
- credithewei-gikaku
Introduced: 14 May 2026
NewCVE-2026-44970 (opens in a new tab)How to fix?
Upgrade dbt-mcp to version 1.17.1 or higher.
Overview
dbt-mcp is an A MCP (Model Context Protocol) server for interacting with dbt resources.
Affected versions of this package are vulnerable to Insertion of Sensitive Information Into Sent Data in the emit_tool_called_event process, which serializes and transmits all tool arguments, including sensitive fields such as sql_query and vars, to a remote telemetry endpoint without redaction or filtering. An attacker can gain unauthorized access to sensitive information, such as credentials or personally identifiable data, by intercepting or accessing the telemetry payloads sent from affected systems. This is only exploitable if telemetry is enabled by default and the user has not explicitly opted out via environment variables.