Advisories for Pypi/Dbt-Mcp package

2026

dbt MCP Server: Unauthenticated OAuth Context Endpoint Leaks dbt Platform Tokens

The local OAuth helper FastAPI server bundled with dbt-mcp exposes the GET /dbt_platform_context endpoint without any form of authentication or host-origin validation. After a user completes the OAuth login flow against dbt Cloud (cloud.getdbt.com), the endpoint returns the full DbtPlatformContext object — including the victim's access_token and refresh_token for the dbt Platform API — verbatim to any caller that can reach 127.0.0.1:6785. An attacker who can direct the victim's browser …

dbt MCP Server Transmits All MCP Tool Arguments Including Raw SQL and --vars Credentials to dbt Labs Telemetry by Default Without Redaction

DefaultUsageTracker.emit_tool_called_event() in src/dbt_mcp/tracking/tracking.py serializes the complete arguments dictionary of every MCP tool call and transmits it verbatim to the dbt Labs telemetry service via dbtlabs_vortex.producer.log_proto. No field is redacted, truncated, or excluded before transmission. This includes the sql_query parameter of the show tool (arbitrary SQL) and the vars parameter of run, build, and test (JSON string that may contain credentials). Telemetry is on by default; the opt-out mechanism requires explicit …

dbt MCP Server Logs Tool Arguments Including SQL Queries and Credentials in Plaintext Without Redaction When File Logging Is Enabled

DbtMCP.call_tool() in src/dbt_mcp/mcp/server.py logs the complete raw arguments dictionary at INFO level on every tool invocation (line 67) and again at ERROR level if the call raises an exception (lines 77–79). No field is redacted before logging. When the documented DBT_MCP_SERVER_FILE_LOGGING=true feature is enabled, these log records are written to dbt-mcp.log in the project root directory as plaintext. Sensitive data — raw SQL queries, –vars payloads carrying credentials, node selectors …

dbt MCP Server has an Argument Injection in dbt CLI Tool Wrappers via node_selection and resource_type Parameters

_run_dbt_command() in src/dbt_mcp/dbt_cli/tools.py constructs the dbt subprocess argument list by appending user-supplied MCP tool parameters without sanitization. Two independent injection vectors exist. An MCP client can inject arbitrary dbt global flags — such as –profiles-dir, –project-dir, and –target — by crafting the node_selection string (Vector 1) or the resource_type JSON array (Vector 2). Because subprocess.Popen is called with shell=False and a list argument, shell metacharacter injection is not possible; however, …