CVE-2026-25650: MCP-Salesforce's arbitrary attribute access leads to disclosure of Salesforce auth token

February 6, 2026

Disclosure of Salesforce OAuth bearer tokens used by the MCP.

References

github.com/advisories/GHSA-vf6j-c56p-cq58
github.com/smn2gnt/MCP-Salesforce
github.com/smn2gnt/MCP-Salesforce/commit/a1e3a5a786f48508d066b6d40b58201ebf9b7fd6
github.com/smn2gnt/MCP-Salesforce/security/advisories/GHSA-vf6j-c56p-cq58
nvd.nist.gov/vuln/detail/CVE-2026-25650

Code Behaviors & Features

Detect and mitigate CVE-2026-25650 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →