Public story · 2026-07-01 · high
mcp-pinot exposes SQL tools with no login required
CVE-2026-49257 scored a perfect CVSS 10.0, per Practical DevSecOps, covering SQL, schema, and mutation tools alike.
Why now: Practical DevSecOps' MCP security findings, including this CVE, were covered on July 1.
Story
CVE-2026-49257 hands mcp-pinot's SQL, schema, and table-mutation tools to any unauthenticated caller, drawing a perfect CVSS score of 10.0, per Practical DevSecOps.
Anyone who can reach the server gets full read, write, and delete access to the data behind it, no credentials required. That's the top of the severity scale, assigned to tools built to mutate live tables.
The cause is ordinary. OAuth doesn't ship on by default, so the server answers unauthenticated requests with the same SQL and mutation tools a logged-in caller would get. With OAuth enabled, those tools require credentials again, the way they're supposed to.
Practical DevSecOps treats this as a pattern rather than a one-off bug. Its 2026 MCP security report calls shipping auth off by default the standard failure mode across MCP servers, not an edge case.
Most MCP CVEs this year will trace back to auth left off by default, not to broken code, and mcp-pinot's perfect severity score shows how bad that default can get. If you run mcp-pinot, turn OAuth on before anything else. If you run any MCP server, treat the shipped defaults as open until you've checked otherwise.
Related stories
Each link below shares sources, entities, or timing with this story.
Shared entities / Same source / Shared topic
The official MCP TypeScript SDK leaked data across clients
Both cover CVE, CVSS, MCP, Practical DevSecOps; cite the same source (Practical DevSecOps); overlapping topics (cvss, server).
Shared entities / Shared topic / Earlier coverage
Bitdefender Quantifies MCP Security Crisis: 53% Static Credentials, 8.5% OAuth
Both cover CVE, CVSS, MCP, OAuth; overlapping topics (oauth, server); earlier CVE coverage from 2026-02-22.
Shared entities / Shared topic / Earlier coverage / Tension
MCP Servers Are The New Shadow IT: 30 CVEs in 60 Days, 82% Vulnerable to Path Traversal, 38% Have Zero Auth
Both cover CVE, CVSS, MCP; overlapping topics (auth, server, tool); earlier CVE coverage from 2026-03-23.
Agent Security
Both cover CVSS, MCP, OAuth; overlapping topics (server, tool); earlier CVSS coverage from 2026-02-22.
Shared entities / Same source
MCPJam and nginx-ui Ship 9.8 RCE Bugs
Both cover CVE, MCP, Practical DevSecOps; cite the same source (Practical DevSecOps).
Shared entities / Shared topic / Earlier coverage
Check Point Discloses Triple Claude Code Attack: Hooks RCE, MCP Bypass, API Key Exfiltration.
Both cover CVE, CVSS, MCP; overlapping topics (auth, cvss, server); earlier CVE coverage from 2026-02-25.
Shared entities / Earlier coverage
MCP Security Debt Hits Critical Mass: 30+ CVEs in 60 Days, PraisonAI CVSS 10, Azure AI Foundry CVSS 10
Both cover CVE, CVSS, MCP, SQL; earlier CVE coverage from 2026-04-04.
Shared entities / Shared topic / Earlier coverage
The MCP supply chain has a hole in the floor, and it's being exploited right now
Both cover CVE, CVSS, MCP; overlapping topics (auth, server); earlier CVE coverage from 2026-06-17.
Source trail
Entities
Claim evidence
- mcp-pinot exposes SQL tools with no login required
Provenance
- Canonical issue
- 2026-07-01
- AI generated
- yes
- Story unit
- 2026-07-01-mcp-pinot-ships-a-cvss-10-0-with-oauth-off-by-default-handing-sql-and-table-mutation-tools-to-an
- Labels
- source-backed, canonical briefing excerpt