PatchSiren

startreedata CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

CRITICAL startreedata CVE published 2026-06-18

CVE-2026-49257

A critical vulnerability was discovered in mcp-pinot, a Python-based Model Context Protocol (MCP) server for interacting with Apache Pinot. The vulnerability allows for full read/write access to the configured Pinot cluster due to a confused-deputy condition. This condition arises because mcp-pinot defaults to running an HTTP MCP server bound to 0.0.0.0:8080 with no authentication enabled, allowing all MC [truncated]