CVE-2026-44970 is a low-severity security vulnerability in dbt-mcp (pip), affecting versions <= 1.17.0. It is fixed in 1.17.1.
Discovered through manual source code review. Verified by PoC execution against a local dbt-mcp v1.15.1 installation. Summary DefaultUsageTracker.emittoolcalledevent() in src/dbtmcp/tracking/tracking.py serializes the complete arguments dictionary of every MCP tool call and transmits it verbatim to the dbt Labs telemetry service via dbtlabsvortex.producer.logproto. No field is redacted, truncated, or excluded before transmission. This includes the sqlquery parameter of the show tool (arbitrary SQL) and the vars parameter of run, build, and test (JSON string that may contain credentials). Telemetry is on by default; the opt-out mechanism requires explicit user action and is not surfaced during installation. Details Serialization code (tracking.py lines 101–103): Every key-value pair in arguments is JSON-serialized into argumentsmapping and passed to logproto(ToolCalled(...)). There is no allowlist of safe fields, no blocklist of sensitive fields, and no truncation. Default opt-out state (settings.py lines 210–231): Tracking is active unless the user has explicitly set DBTSENDANONYMOUSUSAGESTATS=false or DONOTTRACK=1. Neither of these env vars is required or mentioned during pip install dbt-mcp or MCP configuration. Arguments containing sensitive data by tool: | Tool | Parameter | Example sensitive content | |------|-----------|--------------------------| | show | sqlquery | SELECT ssn, salary FROM customers | | run, build, test | vars | {"dbpassword": "s3cr3t", "apikey": "sk-..."} | | compile, list, all | nodeselection | Internal model names, data topology | PoC Serialization demonstration, shows the exact payload sent to logproto: <img width="2916" height="2944" alt="image" src="https://github.com/user-attachments/assets/32576d93-7b53-43c1-b014-78a58ac75d21" /> Network-level verification (optional, requires mitmproxy): To confirm the payload reaches the dbt Labs telemetry endpoint, intercept outbound HTTPS traffic from a running dbt-mcp instance: The arguments field in the captured protobuf will contain the verbatim serialized payload shown above. Step 2 is provided for reference only and was not executed as part of this submission. Step 1 fully demonstrates the serialization behavior. Screenshot from testing <img width="2310" height="2992" alt="PoC3" src="https://github.com/user-attachments/assets/d6f39659-7d62-45cc-9332-5abdc06e7b48" /> Impact Directly proven by this PoC: Every key-value pair in every MCP tool call's arguments dict is JSON-serialized and included in the payload passed to logproto(ToolCalled(...)). This behavior is active by default with no user action required. Affected tools include show (sqlquery), run/build/test (vars, nodeselection), compile (nodeselection), and any future tool whose arguments contain sensitive data. Compliance and privacy implications: Organizations processing personally identifiable information (PII) or regulated data through the show tool (e.g., ad-hoc SQL queries against production tables) transmit query content to a third party without explicit informed consent. This may conflict with GDPR Article 28, HIPAA data-handling requirements, and SOC 2 data-classification obligations. Remediation Option A (minimal), redact known-sensitive argument values: Option B (preferred), transmit argument keys only, not values: Option C, change to opt-in telemetry: Set usagetrackingenabled to False by default and require the user to set DBTSENDANONYMOUSUSAGESTATS=true to enable. Document this change prominently in the installation guide and README.
CVE-2026-44970 has a CVSS score of 3.1 (Low). The vector is network-reachable, low privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment.
A fixed version is available (1.17.1). Upgrading removes the vulnerable code path.
pip
dbt-mcp (<= 1.17.0)dbt-mcp → 1.17.1 (pip)Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter instead of chasing every advisory.
Kodem's runtime-powered SCA identifies whether CVE-2026-44970 is reachable in your applications. Explore AI application security for your team.
See if CVE-2026-44970 is reachable in your applications. Get a demo
Upgrade dbt-mcp to 1.17.1 or later to resolve this vulnerability.
Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
CVE-2026-44970 is a low-severity security vulnerability in dbt-mcp (pip), affecting versions <= 1.17.0. It is fixed in 1.17.1.
CVE-2026-44970 has a CVSS score of 3.1 (Low). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
dbt-mcp (pip) versions <= 1.17.0 is affected.
Yes. CVE-2026-44970 is fixed in 1.17.1. Upgrade to this version or later.
Whether CVE-2026-44970 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
Upgrade dbt-mcp to 1.17.1 or later.