CVE-2026-25650

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions MCP Salesforce Connector versions prior to 0.1.10

Description The software is a Model Context Protocol (MCP) server implementation for Salesforce integration. A flaw exists where arbitrary attribute access can lead to the disclosure of Salesforce authentication tokens. The issue affects the disclosure of Salesforce OAuth bearer tokens used by the MCP.

Recommendations Update to version 0.1.10 or later. Rotate any Salesforce tokens or credentials used by MCP-Salesforce.

Exploit

Fix

Information Disclosure

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-200

Related Identifiers

CVE-2026-25650

GHSA-VF6J-C56P-CQ58

Affected Products

Mcp-Salesforce-Connector

Salesforce

CVE-2026-25650

Weakness Enumeration

Related Identifiers

Affected Products

References · 11