External risk intelligence

mcp-pinot Unauthenticated Access Grants Full Apache Pinot Cluster Control

CVE advisorySeverity: CRITICAL (CVSS 10.0)

CVE-2026-49257

The application defaults to binding an HTTP service to 0.0.0.0 (all network interfaces) on port 8080 with no authentication enabled. By design, this configuration makes the server's full administrative and query capabilities reachable to anyone with network access, including the public internet if deployed in an environment without additional perimeter controls.

Missing Authentication

Halo Surface Signal: 5 out of 5 — more likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

This advisory concerns a vulnerability in mcp-pinot, a tool used for interacting with Apache Pinot data systems. The issue allows unauthenticated access to the server, enabling unauthorized users to execute commands, alter data, and potentially gain full control over the connected Pinot cluster. The main concern is confirming if this technology is in use and if it is exposed to unauthorized access.

Unauthenticated access grants full control.
Critical for confirming exposure and use.
Verify if mcp-pinot is deployed and exposed.

Attack Path

How an attacker could exploit the issue

An attacker on the network can interact with the mcp-pinot server without authentication. This allows them to send requests that the server then proxies to Apache Pinot using its own credentials. This creates a confused deputy situation, enabling the attacker to gain full read and write access to the Pinot cluster.

No authentication or network access required.
Triggers through any available server command.
Full read/write access to Pinot cluster.

Live Threat

Current exploitation, exposure, and threat context

The mcp-pinot server, when configured with its default settings, could expose all its functionalities, including SQL queries and data modifications, to any network-adjacent caller. This means an attacker could potentially gain full read and write access to the associated Apache Pinot cluster.

Access to the Pinot cluster.
Unauthenticated network requests.
Unauthorized data manipulation and access.

Operational Fix

Recommended remediation, mitigation, and detection steps

Application owners, infrastructure teams, and potentially platform teams are likely responsible for addressing this vulnerability in mcp-pinot. The first practical step involves identifying all instances of the affected technology, assessing their network reachability and business criticality, and then pinpointing the accountable owner for each. Remediation planning should then be prioritized based on this risk assessment.

Application owners must own the issue.
Verify network exposure and business criticality.
Plan phased remediation based on risk.

Supplementary metadata

CVSS vector

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Free EASM Trial See How Signal Works

Frequently asked questions

What is mcp-pinot?

mcp-pinot is a Python-based Model Context Protocol server that acts as a bridge between LLM-based applications and Apache Pinot. It allows developers to integrate Pinot's real-time analytical data into AI workflows by exposing functions that execute SQL queries, create schemas, and modify table configurations directly within the Pinot cluster.

How does CVE-2026-49257 work?

This vulnerability is classified as CWE-306: Missing Authentication for Critical Function. The server fails to require credentials for any operations. Because it uses its own elevated Pinot credentials to perform tasks, it unknowingly acts as a 'confused deputy,' executing unauthorized commands or data changes on behalf of any user who can reach the server over the network.

When is an mcp-pinot server vulnerable?

The server is vulnerable when running in its default configuration, which binds the HTTP service to all network interfaces (0.0.0.0:8080) without authentication enabled. The bug is triggered by simply sending a request to any available MCP tool endpoint. Local-only deployments that are not reachable from other network segments or the public internet are less susceptible to remote exploitation, though they remain insecure.

Is my deployment exposed to this threat?

According to Halo Surface Signal, this software defaults to an insecure state that makes administrative and query capabilities reachable to anyone with network access. If your server is reachable over your internal network or, worse, the public internet without extra perimeter controls, it is likely exposed. You should prioritize checking if any instances are listening on network interfaces accessible by untrusted users.

What should I do to secure my environment?

The most effective first step is to inventory your infrastructure to identify all running instances of mcp-pinot. Once mapped, verify their network accessibility and designate an owner for each instance to oversee remediation. Because this is a critical access control flaw, planning a move to version 3.1.0 or newer should be prioritized immediately to ensure authentication is enforced.

References

Written by Nicholas Merritt

Nicholas Merritt is VP of Security Solutions at Halo Security. With more than 25 years across application security, vulnerability prioritization, and offensive security, he helps teams translate threat data into practical exposure validation and remediation focus. He authors Halo Threat Intelligence CVE advisories using Halo Surface Signal and H/A/L/O context to prioritize internet-facing risk.