CVE-2026-55837 is a medium-severity missing authentication for critical function vulnerability in dbt-mcp (pip), affecting versions < 1.20.0. It is fixed in 1.20.0.
Unauthenticated OAuth Context Endpoint Leaks dbt Platform Tokens Summary The local OAuth helper FastAPI server bundled with dbt-mcp exposes the GET /dbtplatformcontext endpoint without any form of authentication or host-origin validation. After a user completes the OAuth login flow against dbt Cloud (cloud.getdbt.com), the endpoint returns the full DbtPlatformContext object, including the victim's accesstoken and refreshtoken for the dbt Platform API, verbatim to any caller that can reach 127.0.0.1:6785. An attacker who can direct the victim's browser to the helper origin via DNS rebinding, or who has co-located process access on the same host, can silently exfiltrate both tokens. The stolen bearer token grants full dbt Cloud API access as the victim; the refresh token enables persistent access beyond the original token's expiry. CVSS Base Score: 8.0 (High). Details During the OAuth login flow, dbt-mcp launches an embedded FastAPI server (the "OAuth helper") bound to 127.0.0.1 starting on port 6785 (configured at src/dbtmcp/config/credentials.py:34, OAUTHREDIRECTSTARTINGPORT = 6785). After the OAuth callback is handled, the helper persists the full token context to disk and continues serving requests. Data flow from source to sink: Source, src/dbtmcp/oauth/fastapiapp.py:106: The OAuth callback receives tokenresponse from the dbt Platform authorization server. src/dbtmcp/oauth/dbtplatform.py:60: AccessTokenResponse(tokenresponse) stores accesstoken and refreshtoken as plaintext fields. src/dbtmcp/oauth/dbtplatform.py:64–69: The AccessTokenResponse is embedded inside DecodedAccessToken, which is in turn embedded inside DbtPlatformContext. src/dbtmcp/oauth/fastapiapp.py:114: The fully token-bearing DbtPlatformContext object is passed to contextmanager for persistence. Persistence sink, src/dbtmcp/oauth/contextmanager.py:63–64: yaml.dump(context.modeldump()) serializes the entire model, including tokens, to a YAML file on disk. HTTP sink, src/dbtmcp/oauth/fastapiapp.py:162–165: The GET /dbtplatformcontext route reads the YAML file back and returns the raw DbtPlatformContext object with no redaction. Missing protections (confirmed by grep): No TrustedHostMiddleware, the server accepts requests with arbitrary Host headers, enabling DNS rebinding. No CORSMiddleware, no cross-origin restrictions on which sites can read the response. No CSRF protection, no session nonce, no Origin header validation. The route has no FastAPI Depends() security dependency. A grep -Rni "TrustedHostMiddleware\|CORSMiddleware\|csrf\|origin" across the OAuth FastAPI application returns no results. Recommended remediation: PoC Prerequisites: dbt-mcp v1.19.1 installed in a Python 3.12 environment. The following runtime dependencies available: authlib~=1.6.7, fastapi~=0.128.0, uvicorn~=0.38.0, pyyaml~=6.0.2, httpx~=0.28.1, starlette~=0.50.0, pydantic~=2.0, pydantic-settings~=2.10.1. No DBTTOKEN set (OAuth flow mode active). Step 1, Build the Docker test environment: The Dockerfile installs only the OAuth helper's runtime dependencies and copies src/ and poc.py: Step 2, Run the PoC: The PoC script (poc.py) performs the following automatically: Writes a realistic fake OAuth context YAML to /tmp/dbtpocmcp.yml, simulating a victim who has already completed the OAuth login flow. Instantiates the real createapp() from src/dbtmcp/oauth/fastapiapp.py using DbtPlatformContextManager backed by the pre-seeded file. Starts the server on 127.0.0.1:16785 in a background thread. Issues an unauthenticated GET /dbtplatformcontext with no Authorization header. Asserts that accesstoken and refreshtoken are returned verbatim. Equivalent manual curl (against the live OAuth helper during actual OAuth flow): Expected output (Phase 2 observed): DNS rebinding variant: A malicious website can resolve attacker.example to 127.0.0.1 after the browser's DNS TTL expires ("DNS rebinding"). Because the helper accepts any Host header, the browser treats http://attacker.example:6785 as same-origin and fetches /dbtplatformcontext via JavaScript fetch(), obtaining the full token JSON across the network without any local access. Impact Any local process running as any user on the same host, or a remote attacker who exploits DNS rebinding against a victim's browser during or after the OAuth login session, can retrieve the victim's full dbt Cloud OAuth tokens with a single unauthenticated HTTP GET request. The accesstoken grants immediate bearer-token access to the dbt Cloud REST and GraphQL APIs on behalf of the victim. The refreshtoken (with offline_access scope) allows the attacker to obtain new access tokens after the original expires, providing persistent unauthorized access until the victim manually revokes the OAuth grant. An attacker with these tokens can read or modify dbt projects, run jobs, access environment secrets, and exfiltrate data lineage and warehouse credentials stored in dbt Cloud. This vulnerability is a Missing Authentication for Critical Function** (CWE-306). Any developer machine running dbt-mcp with OAuth-mode authentication is affected for the duration of the OAuth helper process lifetime. Because dbt-mcp is a developer tool, the primary victims are individual developers and their associated dbt Cloud organization accounts. Reproduction artifacts Dockerfile poc.py
A critical operation is accessible without requiring any authentication. Typical impact: any user can invoke the privileged function.
CVE-2026-55837 has a CVSS score of 6.8 (Medium). The vector is network-reachable, no privileges required, and user interaction required. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment.
A fixed version is available (1.20.0). Upgrading removes the vulnerable code path.
pip
dbt-mcp (< 1.20.0)dbt-mcp → 1.20.0 (pip)Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter instead of chasing every advisory.
Kodem's runtime-powered SCA identifies whether CVE-2026-55837 is reachable in your applications. Explore AI application security for your team.
See if CVE-2026-55837 is reachable in your applications. Get a demo
Upgrade dbt-mcp to 1.20.0 or later to resolve this vulnerability.
Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
CVE-2026-55837 is a medium-severity missing authentication for critical function vulnerability in dbt-mcp (pip), affecting versions < 1.20.0. It is fixed in 1.20.0. A critical operation is accessible without requiring any authentication.
CVE-2026-55837 has a CVSS score of 6.8 (Medium). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
dbt-mcp (pip) versions < 1.20.0 is affected.
Yes. CVE-2026-55837 is fixed in 1.20.0. Upgrade to this version or later.
Whether CVE-2026-55837 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
Upgrade dbt-mcp to 1.20.0 or later.