PT-2026-41149 · Pypi · Dbt-Mcp
Published
2026-05-14
·
Updated
2026-05-14
·
CVE-2026-44969
CVSS v3.1
2.5
Low
| Vector | AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N |
Discovered through manual source code review. Verified by PoC execution against a local dbt-mcp v1.15.1 installation.
Summary
DbtMCP.call tool() in src/dbt mcp/mcp/server.py logs the complete raw arguments dictionary at INFO level on every tool invocation (line 67) and again at ERROR level if the call raises an exception (lines 77–79). No field is redacted before logging. When the documented DBT MCP SERVER FILE LOGGING=true feature is enabled, these log records are written to dbt-mcp.log in the project root directory as plaintext. Sensitive data — raw SQL queries, --vars payloads carrying credentials, node selectors — persists on disk indefinitely with no automatic rotation or deletion.Details
Vulnerable log statements (
server.py):# Line 67 — emitted before every tool execution
logger.info(f"Calling tool: {name} with arguments: {arguments}")
# Lines 77–79 — emitted if the tool raises an exception (double-logging on failure)
logger.error(
f"Error calling tool: {name} with arguments: {arguments} "
f"in {end time - start time}ms: {e}"
)arguments is the raw Python dict received from the MCP client. It is string-interpolated directly into the log message. On a tool call that raises an exception, the same dict is logged twice — once at INFO and once at ERROR.File logging is activated by
DBT MCP SERVER FILE LOGGING=true (a documented feature in the project README). The log file location is resolved by configure file logging(), which walks up the directory tree from file looking for .git or pyproject.toml, falling back to $HOME. Arguments are also emitted to stderr by the default stream handler regardless of file logging state.PoC
MCP client script — triggers real tool calls and verifies log file contents:
#!/usr/bin/env python3
# poc4 tool args logged.py
# Vulnerable code: src/dbt mcp/mcp/server.py line 67, 77-79
# configure file logging(): src/dbt mcp/telemetry/logging.py
import logging
from pathlib import Path
LOG FILENAME = "dbt-mcp.log"
def configure file logging(log level: int = logging.INFO) -> Path:
"""Reproduction of configure file logging() from telemetry/logging.py."""
module path = Path( file ).resolve().parent
home = Path.home().resolve()
for candidate in [module path, *module path.parents]:
if (candidate / ".git").exists() or (candidate / "pyproject.toml").exists() or candidate == home:
repo root = candidate
break
log path = repo root / LOG FILENAME
root logger = logging.getLogger()
root logger.setLevel(log level)
file handler = logging.FileHandler(log path, encoding="utf-8")
file handler.setLevel(log level)
file handler.setFormatter(
logging.Formatter("%(asctime)s %(levelname)s [%(name)s] %(message)s")
)
root logger.addHandler(file handler)
return log path
log path = configure file logging()
server logger = logging.getLogger("dbt mcp.mcp.server")
# Exact log statements from server.py line 67 and line 77-79
name = "show"
arguments = {"sql query": "SELECT ssn, credit card number, salary FROM customers WHERE id = 42", "limit": 5}
server logger.info(f"Calling tool: {name} with arguments: {arguments}")
name2 = "run"
arguments2 = {"node selection": "sensitive model", "vars": '{"db password": "hunter2", "api key": "sk-prod-abc123xyz"}', "is full refresh": False}
server logger.info(f"Calling tool: {name2} with arguments: {arguments2}")
# Verify file contents
lines = log path.read text(encoding="utf-8").splitlines()
poc lines = [l for l in lines if "dbt mcp.mcp.server" in l]
print(f"[log file: {log path}]")
for line in poc lines:
print(f" {line}")
keywords = ["ssn", "credit card number", "salary", "db password", "api key"]
found = [kw for kw in keywords if any(kw in l for l in poc lines)]
if found:
print(f"
[CONFIRMED] Sensitive keywords in plaintext log: {found}")
print(f"[CONFIRMED] No redaction applied. File persists at {log path}")Expected log file entries:
2026-04-27 ... INFO [dbt mcp.mcp.server] Calling tool: show with arguments:
{'sql query': 'SELECT ssn, credit card number, salary FROM customers', 'limit': 5}
2026-04-27 ... INFO [dbt mcp.mcp.server] Calling tool: run with arguments:
{'node selection': 'sensitive model',
'vars': '{"db password":"hunter2","api key":"sk-prod-abc123"}',
'is full refresh': False}
[CONFIRMED] Sensitive keywords in plaintext log: ['ssn', 'credit card number', 'salary', 'db password', 'api key']
[CONFIRMED] No redaction applied.Impact
Directly proven by this PoC:
- When
DBT MCP SERVER FILE LOGGING=true, the fullargumentsdict of every tool call — includingsql query,vars, andnode selection— is written todbt-mcp.login plaintext on every invocation. - A tool call that raises an exception produces two log entries with the same sensitive content (INFO + ERROR double-logging).
- The log file has no automatic rotation, expiry, or access restriction beyond filesystem permissions.
Combined with Advisory 3 (telemetry), a single
show tool call containing PII produces one telemetry transmission to dbt Labs and one (or two, on failure) persistent log entries on disk.Remediation
redact known-sensitive argument values before logging:
LOG REDACT = frozenset({"sql query", "vars"})
def safe args(arguments: dict) -> dict:
return {k: "***redacted***" if k in LOG REDACT else v
for k, v in arguments.items()}
# server.py line 67:
logger.info(f"Calling tool: {name} with arguments: { safe args(arguments)}")
# server.py lines 77-79:
logger.error(
f"Error calling tool: {name} with arguments: { safe args(arguments)} "
f"in {end time - start time}ms: {e}"
)log argument keys only:
logger.info(f"Calling tool: {name} with argument keys: {list(arguments.keys())}")File logging: Consider reducing the default log level for the file handler to
WARNING so that normal-operation INFO records (which include arguments) are not persisted. Sensitive content would only appear in file logs on error.Fix
Insertion into Log File
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Dbt-Mcp