← The Wire

Public story · 2026-07-01 · high

mcp-pinot exposes SQL tools with no login required

CVE-2026-49257 scored a perfect CVSS 10.0, per Practical DevSecOps, covering SQL, schema, and mutation tools alike.

Why now: Practical DevSecOps' MCP security findings, including this CVE, were covered on July 1.

Confidence
high
Sources
1
Redaction
passed

Story

CVE-2026-49257 hands mcp-pinot's SQL, schema, and table-mutation tools to any unauthenticated caller, drawing a perfect CVSS score of 10.0, per Practical DevSecOps.

Anyone who can reach the server gets full read, write, and delete access to the data behind it, no credentials required. That's the top of the severity scale, assigned to tools built to mutate live tables.

The cause is ordinary. OAuth doesn't ship on by default, so the server answers unauthenticated requests with the same SQL and mutation tools a logged-in caller would get. With OAuth enabled, those tools require credentials again, the way they're supposed to.

Practical DevSecOps treats this as a pattern rather than a one-off bug. Its 2026 MCP security report calls shipping auth off by default the standard failure mode across MCP servers, not an edge case.

Most MCP CVEs this year will trace back to auth left off by default, not to broken code, and mcp-pinot's perfect severity score shows how bad that default can get. If you run mcp-pinot, turn OAuth on before anything else. If you run any MCP server, treat the shipped defaults as open until you've checked otherwise.

Related stories

Each link below shares sources, entities, or timing with this story.

  1. Shared entities / Same source / Shared topic

    The official MCP TypeScript SDK leaked data across clients

    Both cover CVE, CVSS, MCP, Practical DevSecOps; cite the same source (Practical DevSecOps); overlapping topics (cvss, server).

  2. Shared entities / Shared topic / Earlier coverage

    Bitdefender Quantifies MCP Security Crisis: 53% Static Credentials, 8.5% OAuth

    Both cover CVE, CVSS, MCP, OAuth; overlapping topics (oauth, server); earlier CVE coverage from 2026-02-22.

  3. Shared entities / Shared topic / Earlier coverage / Tension

    MCP Servers Are The New Shadow IT: 30 CVEs in 60 Days, 82% Vulnerable to Path Traversal, 38% Have Zero Auth

    Both cover CVE, CVSS, MCP; overlapping topics (auth, server, tool); earlier CVE coverage from 2026-03-23.

  4. Agent Security

    Both cover CVSS, MCP, OAuth; overlapping topics (server, tool); earlier CVSS coverage from 2026-02-22.

  5. Shared entities / Same source

    MCPJam and nginx-ui Ship 9.8 RCE Bugs

    Both cover CVE, MCP, Practical DevSecOps; cite the same source (Practical DevSecOps).

  6. Shared entities / Shared topic / Earlier coverage

    Check Point Discloses Triple Claude Code Attack: Hooks RCE, MCP Bypass, API Key Exfiltration.

    Both cover CVE, CVSS, MCP; overlapping topics (auth, cvss, server); earlier CVE coverage from 2026-02-25.

  7. Shared entities / Earlier coverage

    MCP Security Debt Hits Critical Mass: 30+ CVEs in 60 Days, PraisonAI CVSS 10, Azure AI Foundry CVSS 10

    Both cover CVE, CVSS, MCP, SQL; earlier CVE coverage from 2026-04-04.

  8. Shared entities / Shared topic / Earlier coverage

    The MCP supply chain has a hole in the floor, and it's being exploited right now

    Both cover CVE, CVSS, MCP; overlapping topics (auth, server); earlier CVE coverage from 2026-06-17.

Source trail

Entities

Claim evidence

  1. mcp-pinot exposes SQL tools with no login required

Provenance

Canonical issue
2026-07-01
AI generated
yes
Story unit
2026-07-01-mcp-pinot-ships-a-cvss-10-0-with-oauth-off-by-default-handing-sql-and-table-mutation-tools-to-an
Labels
source-backed, canonical briefing excerpt