PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-44969 dbt-labs CVE debrief

CVE-2026-44969 is a LOW severity vulnerability in dbt-mcp, a Model Context Protocol server for interacting with dbt. The vulnerability involves logging of sensitive information in plaintext without automatic rotation or deletion. The CVE record was published on 2026-07-16T18:16:43.247Z and has not been modified since then. The fix is included in version 1.17.1 of dbt-mcp. Users of dbt-mcp should review the vulnerability details and assess their exposure.

Vendor
dbt-labs
Product
dbt-mcp
CVSS
LOW 2.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-16
Original CVE updated
2026-07-16
Advisory published
2026-07-16
Advisory updated
2026-07-16

Who should care

Users of dbt-mcp, particularly those responsible for configuring and managing logging, should review the vulnerability details and assess their exposure. This includes operators, platform administrators, vulnerability management teams, and security teams who need to ensure that sensitive information is properly protected.

Technical summary

Prior to 1.17.1, DbtMCP.call_tool() in src/dbt_mcp/mcp/server.py logged the raw arguments dictionary at INFO level before each tool calls and at ERROR level on exceptions. configure_file_logging() wrote those records to dbt-mcp.log when DBT_MCP_SERVER_FILE_LOGGING=true, preserving sensitive sql_query, vars, and node_selection values in plaintext without automatic rotation or deletion. The fix in version 1.17.1 prevents logging of sensitive information.

Defensive priority

Apply the patch to prevent logging of sensitive information and review logging configurations for DBT_MCP_SERVER_FILE_LOGGING

Recommended defensive actions

  • Apply the patch to dbt-mcp version 1.17.1 or later
  • Review logging configurations for DBT_MCP_SERVER_FILE_LOGGING
  • Consider compensating controls for sensitive information exposure
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
  • Review the supplied official advisory or CVE record to validate affected scope, severity, and vendor guidance
  • Plan vendor-supported updates or mitigations through normal change control where exposure is confirmed
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review

Evidence notes

The CVE record and NVD entry provide details on the vulnerability. The fix is included in version 1.17.1 of dbt-mcp. Evidence limits suggest that sensitive information exposure could occur through logging configurations. Defensive verification tasks include reviewing logging configurations for DBT_MCP_SERVER_FILE_LOGGING and considering compensating controls for sensitive information exposure. Affected scope and severity are detailed in the official CVE record and NVD entry.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-16T18:16:43.247Z and has not been modified since then.