GHSA-7XGW-6QF3-7W59
Vulnerability from github – Published: 2026-05-14 18:24 – Updated: 2026-05-14 18:24Discovered through manual source code review. Verified by PoC execution against a local dbt-mcp v1.15.1 installation.
Summary
DbtMCP.call_tool() in src/dbt_mcp/mcp/server.py logs the complete raw arguments dictionary at INFO level on every tool invocation (line 67) and again at ERROR level if the call raises an exception (lines 77–79). No field is redacted before logging. When the documented DBT_MCP_SERVER_FILE_LOGGING=true feature is enabled, these log records are written to dbt-mcp.log in the project root directory as plaintext. Sensitive data — raw SQL queries, --vars payloads carrying credentials, node selectors — persists on disk indefinitely with no automatic rotation or deletion.
Details
Vulnerable log statements (server.py):
# Line 67 — emitted before every tool execution
logger.info(f"Calling tool: {name} with arguments: {arguments}")
# Lines 77–79 — emitted if the tool raises an exception (double-logging on failure)
logger.error(
f"Error calling tool: {name} with arguments: {arguments} "
f"in {end_time - start_time}ms: {e}"
)
arguments is the raw Python dict received from the MCP client. It is string-interpolated directly into the log message. On a tool call that raises an exception, the same dict is logged twice — once at INFO and once at ERROR.
File logging is activated by DBT_MCP_SERVER_FILE_LOGGING=true (a documented feature in the project README). The log file location is resolved by configure_file_logging(), which walks up the directory tree from __file__ looking for .git or pyproject.toml, falling back to $HOME. Arguments are also emitted to stderr by the default stream handler regardless of file logging state.
PoC
MCP client script — triggers real tool calls and verifies log file contents:
#!/usr/bin/env python3
# poc4_tool_args_logged.py
# Vulnerable code: src/dbt_mcp/mcp/server.py line 67, 77-79
# configure_file_logging(): src/dbt_mcp/telemetry/logging.py
import logging
from pathlib import Path
LOG_FILENAME = "dbt-mcp.log"
def configure_file_logging(log_level: int = logging.INFO) -> Path:
"""Reproduction of configure_file_logging() from telemetry/logging.py."""
module_path = Path(__file__).resolve().parent
home = Path.home().resolve()
for candidate in [module_path, *module_path.parents]:
if (candidate / ".git").exists() or (candidate / "pyproject.toml").exists() or candidate == home:
repo_root = candidate
break
log_path = repo_root / LOG_FILENAME
root_logger = logging.getLogger()
root_logger.setLevel(log_level)
file_handler = logging.FileHandler(log_path, encoding="utf-8")
file_handler.setLevel(log_level)
file_handler.setFormatter(
logging.Formatter("%(asctime)s %(levelname)s [%(name)s] %(message)s")
)
root_logger.addHandler(file_handler)
return log_path
log_path = configure_file_logging()
server_logger = logging.getLogger("dbt_mcp.mcp.server")
# Exact log statements from server.py line 67 and line 77-79
name = "show"
arguments = {"sql_query": "SELECT ssn, credit_card_number, salary FROM customers WHERE id = 42", "limit": 5}
server_logger.info(f"Calling tool: {name} with arguments: {arguments}")
name2 = "run"
arguments2 = {"node_selection": "sensitive_model", "vars": '{"db_password": "hunter2", "api_key": "sk-prod-abc123xyz"}', "is_full_refresh": False}
server_logger.info(f"Calling tool: {name2} with arguments: {arguments2}")
# Verify file contents
lines = log_path.read_text(encoding="utf-8").splitlines()
poc_lines = [l for l in lines if "dbt_mcp.mcp.server" in l]
print(f"[log file: {log_path}]")
for line in poc_lines:
print(f" {line}")
keywords = ["ssn", "credit_card_number", "salary", "db_password", "api_key"]
found = [kw for kw in keywords if any(kw in l for l in poc_lines)]
if found:
print(f"\n[CONFIRMED] Sensitive keywords in plaintext log: {found}")
print(f"[CONFIRMED] No redaction applied. File persists at {log_path}")
Expected log file entries:
2026-04-27 ... INFO [dbt_mcp.mcp.server] Calling tool: show with arguments:
{'sql_query': 'SELECT ssn, credit_card_number, salary FROM customers', 'limit': 5}
2026-04-27 ... INFO [dbt_mcp.mcp.server] Calling tool: run with arguments:
{'node_selection': 'sensitive_model',
'vars': '{"db_password":"hunter2","api_key":"sk-prod-abc123"}',
'is_full_refresh': False}
[CONFIRMED] Sensitive keywords in plaintext log: ['ssn', 'credit_card_number', 'salary', 'db_password', 'api_key']
[CONFIRMED] No redaction applied.
Impact
Directly proven by this PoC:
- When
DBT_MCP_SERVER_FILE_LOGGING=true, the fullargumentsdict of every tool call — includingsql_query,vars, andnode_selection— is written todbt-mcp.login plaintext on every invocation. - A tool call that raises an exception produces two log entries with the same sensitive content (INFO + ERROR double-logging).
- The log file has no automatic rotation, expiry, or access restriction beyond filesystem permissions.
Combined with Advisory 3 (telemetry), a single show tool call containing PII produces one telemetry transmission to dbt Labs and one (or two, on failure) persistent log entries on disk.
Remediation
redact known-sensitive argument values before logging:
_LOG_REDACT = frozenset({"sql_query", "vars"})
def _safe_args(arguments: dict) -> dict:
return {k: "***redacted***" if k in _LOG_REDACT else v
for k, v in arguments.items()}
# server.py line 67:
logger.info(f"Calling tool: {name} with arguments: {_safe_args(arguments)}")
# server.py lines 77-79:
logger.error(
f"Error calling tool: {name} with arguments: {_safe_args(arguments)} "
f"in {end_time - start_time}ms: {e}"
)
log argument keys only:
logger.info(f"Calling tool: {name} with argument keys: {list(arguments.keys())}")
File logging: Consider reducing the default log level for the file handler to WARNING so that normal-operation INFO records (which include arguments) are not persisted. Sensitive content would only appear in file logs on error.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.17.0"
},
"package": {
"ecosystem": "PyPI",
"name": "dbt-mcp"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.17.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-44969"
],
"database_specific": {
"cwe_ids": [
"CWE-532"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-14T18:24:44Z",
"nvd_published_at": null,
"severity": "LOW"
},
"details": "*Discovered through manual source code review. Verified by PoC execution against a local dbt-mcp v1.15.1 installation.*\n\n### Summary\n\n`DbtMCP.call_tool()` in `src/dbt_mcp/mcp/server.py` logs the complete raw `arguments` dictionary at `INFO` level on every tool invocation (line 67) and again at `ERROR` level if the call raises an exception (lines 77\u201379). No field is redacted before logging. When the documented `DBT_MCP_SERVER_FILE_LOGGING=true` feature is enabled, these log records are written to `dbt-mcp.log` in the project root directory as plaintext. Sensitive data \u2014 raw SQL queries, `--vars` payloads carrying credentials, node selectors \u2014 persists on disk indefinitely with no automatic rotation or deletion.\n\n### Details\n\n**Vulnerable log statements (`server.py`):**\n\n```python\n# Line 67 \u2014 emitted before every tool execution\nlogger.info(f\"Calling tool: {name} with arguments: {arguments}\")\n\n# Lines 77\u201379 \u2014 emitted if the tool raises an exception (double-logging on failure)\nlogger.error(\n f\"Error calling tool: {name} with arguments: {arguments} \"\n f\"in {end_time - start_time}ms: {e}\"\n)\n```\n\n`arguments` is the raw Python dict received from the MCP client. It is string-interpolated directly into the log message. On a tool call that raises an exception, the same dict is logged twice \u2014 once at INFO and once at ERROR.\n\nFile logging is activated by `DBT_MCP_SERVER_FILE_LOGGING=true` (a documented feature in the project README). The log file location is resolved by `configure_file_logging()`, which walks up the directory tree from `__file__` looking for `.git` or `pyproject.toml`, falling back to `$HOME`. Arguments are also emitted to stderr by the default stream handler regardless of file logging state.\n\n### PoC\n\n**MCP client script \u2014 triggers real tool calls and verifies log file contents:**\n\n```python\n#!/usr/bin/env python3\n# poc4_tool_args_logged.py\n# Vulnerable code: src/dbt_mcp/mcp/server.py line 67, 77-79\n# configure_file_logging(): src/dbt_mcp/telemetry/logging.py\n\nimport logging\nfrom pathlib import Path\n\nLOG_FILENAME = \"dbt-mcp.log\"\n\ndef configure_file_logging(log_level: int = logging.INFO) -\u003e Path:\n \"\"\"Reproduction of configure_file_logging() from telemetry/logging.py.\"\"\"\n module_path = Path(__file__).resolve().parent\n home = Path.home().resolve()\n for candidate in [module_path, *module_path.parents]:\n if (candidate / \".git\").exists() or (candidate / \"pyproject.toml\").exists() or candidate == home:\n repo_root = candidate\n break\n log_path = repo_root / LOG_FILENAME\n root_logger = logging.getLogger()\n root_logger.setLevel(log_level)\n file_handler = logging.FileHandler(log_path, encoding=\"utf-8\")\n file_handler.setLevel(log_level)\n file_handler.setFormatter(\n logging.Formatter(\"%(asctime)s %(levelname)s [%(name)s] %(message)s\")\n )\n root_logger.addHandler(file_handler)\n return log_path\n\nlog_path = configure_file_logging()\nserver_logger = logging.getLogger(\"dbt_mcp.mcp.server\")\n\n# Exact log statements from server.py line 67 and line 77-79\nname = \"show\"\narguments = {\"sql_query\": \"SELECT ssn, credit_card_number, salary FROM customers WHERE id = 42\", \"limit\": 5}\nserver_logger.info(f\"Calling tool: {name} with arguments: {arguments}\")\n\nname2 = \"run\"\narguments2 = {\"node_selection\": \"sensitive_model\", \"vars\": \u0027{\"db_password\": \"hunter2\", \"api_key\": \"sk-prod-abc123xyz\"}\u0027, \"is_full_refresh\": False}\nserver_logger.info(f\"Calling tool: {name2} with arguments: {arguments2}\")\n\n# Verify file contents\nlines = log_path.read_text(encoding=\"utf-8\").splitlines()\npoc_lines = [l for l in lines if \"dbt_mcp.mcp.server\" in l]\nprint(f\"[log file: {log_path}]\")\nfor line in poc_lines:\n print(f\" {line}\")\n\nkeywords = [\"ssn\", \"credit_card_number\", \"salary\", \"db_password\", \"api_key\"]\nfound = [kw for kw in keywords if any(kw in l for l in poc_lines)]\nif found:\n print(f\"\\n[CONFIRMED] Sensitive keywords in plaintext log: {found}\")\n print(f\"[CONFIRMED] No redaction applied. File persists at {log_path}\")\n```\n\n**Expected log file entries:**\n\n````\n2026-04-27 ... INFO [dbt_mcp.mcp.server] Calling tool: show with arguments:\n {\u0027sql_query\u0027: \u0027SELECT ssn, credit_card_number, salary FROM customers\u0027, \u0027limit\u0027: 5}\n\n2026-04-27 ... INFO [dbt_mcp.mcp.server] Calling tool: run with arguments:\n {\u0027node_selection\u0027: \u0027sensitive_model\u0027,\n \u0027vars\u0027: \u0027{\"db_password\":\"hunter2\",\"api_key\":\"sk-prod-abc123\"}\u0027,\n \u0027is_full_refresh\u0027: False}\n\n[CONFIRMED] Sensitive keywords in plaintext log: [\u0027ssn\u0027, \u0027credit_card_number\u0027, \u0027salary\u0027, \u0027db_password\u0027, \u0027api_key\u0027]\n[CONFIRMED] No redaction applied.\n````\n\n\u003cimg width=\"3798\" height=\"462\" alt=\"image\" src=\"https://github.com/user-attachments/assets/b4c23a93-b3d3-4b7f-ba46-3d4a324d609f\" /\u003e\n\n### Impact\n\n**Directly proven by this PoC:**\n\n- When `DBT_MCP_SERVER_FILE_LOGGING=true`, the full `arguments` dict of every tool call \u2014 including `sql_query`, `vars`, and `node_selection` \u2014 is written to `dbt-mcp.log` in plaintext on every invocation.\n- A tool call that raises an exception produces **two** log entries with the same sensitive content (INFO + ERROR double-logging).\n- The log file has no automatic rotation, expiry, or access restriction beyond filesystem permissions.\n\nCombined with Advisory 3 (telemetry), a single `show` tool call containing PII produces one telemetry transmission to dbt Labs **and** one (or two, on failure) persistent log entries on disk.\n\n### Remediation\n\n**redact known-sensitive argument values before logging:**\n\n```python\n_LOG_REDACT = frozenset({\"sql_query\", \"vars\"})\n\ndef _safe_args(arguments: dict) -\u003e dict:\n return {k: \"***redacted***\" if k in _LOG_REDACT else v\n for k, v in arguments.items()}\n\n# server.py line 67:\nlogger.info(f\"Calling tool: {name} with arguments: {_safe_args(arguments)}\")\n\n# server.py lines 77-79:\nlogger.error(\n f\"Error calling tool: {name} with arguments: {_safe_args(arguments)} \"\n f\"in {end_time - start_time}ms: {e}\"\n)\n```\n\n**log argument keys only:**\n\n```python\nlogger.info(f\"Calling tool: {name} with argument keys: {list(arguments.keys())}\")\n```\n\n**File logging:** Consider reducing the default log level for the file handler to `WARNING` so that normal-operation INFO records (which include arguments) are not persisted. Sensitive content would only appear in file logs on error.",
"id": "GHSA-7xgw-6qf3-7w59",
"modified": "2026-05-14T18:24:44Z",
"published": "2026-05-14T18:24:44Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/dbt-labs/dbt-mcp/security/advisories/GHSA-7xgw-6qf3-7w59"
},
{
"type": "PACKAGE",
"url": "https://github.com/dbt-labs/dbt-mcp"
},
{
"type": "WEB",
"url": "https://github.com/dbt-labs/dbt-mcp/releases/tag/v1.17.1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "dbt MCP Server Logs Tool Arguments Including SQL Queries and Credentials in Plaintext Without Redaction When File Logging Is Enabled"
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.