PatchSiren

dbt-labs CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

LOW dbt-labs CVE published 2026-07-16

CVE-2026-44970

The dbt-mcp server, a Model Context Protocol server for interacting with dbt, has a vulnerability in its usage tracking feature. Prior to version 1.17.1, the DefaultUsageTracker.emit_tool_called_event() function in src/dbt_mcp/tracking/tracking.py was sending sensitive information, including sql_query, vars, and node_selection, without proper redaction when usage_tracking_enabled was set to True in settin [truncated]

LOW dbt-labs CVE published 2026-07-16

CVE-2026-44969

CVE-2026-44969 is a LOW severity vulnerability in dbt-mcp, a Model Context Protocol server for interacting with dbt. The vulnerability involves logging of sensitive information in plaintext without automatic rotation or deletion. The CVE record was published on 2026-07-16T18:16:43.247Z and has not been modified since then. The fix is included in version 1.17.1 of dbt-mcp. Users of dbt-mcp should review th [truncated]

MEDIUM dbt-labs CVE published 2026-07-16

CVE-2026-44968

CVE-2026-44968 is a MEDIUM severity vulnerability in dbt-mcp, caused by unsanitized node_selection and resource_type values in _run_dbt_command() in src/dbt_mcp/dbt_cli/tools.py. This allows an MCP client to inject dbt global flags into subprocess.Popen. The CVE record was published on 2026-07-16T18:16:43.100Z and has not been modified since then. Users of dbt-mcp should be aware of this vulnerability and [truncated]