MCP-Pinot Default Insecure Configuration Enables Unauthenticated Remote Tool Invocation
mcp-pinot shipped with OAuth disabled by default and bound to 0.0.0.0, allowing unauthenticated network attackers to invoke MCP tools and execute queries against downstream Pinot clusters using server credentials. This is a critical authentication bypass with CVSS 10.0.
CVE References
Affected
Vulnerability Description
This vulnerability stems from a dangerous combination of insecure defaults in the mcp-pinot Model Context Protocol server. The root cause is twofold: (1) OAuth authentication was disabled by default (oauth_enabled=False), and (2) the HTTP server was bound to the wildcard address 0.0.0.0:8080 rather than the loopback interface. This creates a network-accessible unauthenticated service that acts as a privileged proxy to backend Pinot clusters. The impact is severe—unauthenticated remote callers can invoke MCP tools to read sensitive table data, cluster metadata, and modify schemas/configs with the privileges of the compromised server identity, crossing security boundaries.
Proof-of-Concept Significance
This disclosure demonstrates that the PoC is trivial to execute: any network-adjacent attacker can craft direct MCP tool calls over HTTP without credentials. The low attack complexity (AC:L), absence of privilege requirements (PR:N), and lack of user interaction (UI:N) mean this vulnerability is highly reliable and exploitable by unsophisticated threat actors. The scope is changed (S:C) because the MCP server uses backend credentials to pivot into a separate Pinot cluster, amplifying the blast radius. Real-world exploitation requires network access to port 8080 on the affected host—likely in cloud deployments or insufficiently segmented networks.
Detection Guidance
Defenders should monitor for: (1) Network telemetry: unexpected inbound HTTP connections to port 8080 from external sources, especially non-loopback IPs; (2) HTTP access logs: requests to MCP endpoints lacking Authorization headers or Bearer tokens; (3) Log signatures: HTTP POST requests to paths like /mcp/tools or similar MCP invocation endpoints with 200-level responses from unauthenticated clients; (4) Audit logs in Pinot: unusual query activity or schema modifications originating from the mcp-pinot service account, particularly outside business hours or from atypical patterns; (5) Process inspection: mcp-pinot instances listening on 0.0.0.0 rather than 127.0.0.1 in netstat/ss output.
Mitigation Steps
Immediate actions: (1) Upgrade to v3.1.0 or later, which defaults to 127.0.0.1 binding, enables OAuth requirement for non-loopback exposure, and adds read-only statement validation; (2) Implement network segmentation—restrict access to port 8080 to authorized clients only via firewalls or security groups; (3) Enable OAuth in all deployments regardless of version, even as a temporary control; (4) Audit running instances for insecure binding: netstat -tlnp | grep 8080 or equivalent; (5) Review Pinot query and schema modification logs for unauthorized activity dating back to deployment. For Helm deployments, ensure exposure is opt-in and OAuth-gated post-patch.
Risk Assessment
This vulnerability poses critical real-world risk in cloud-native and containerized environments where default configurations propagate widely and network isolation assumptions are weak. Threat actors targeting data exfiltration, supply chain compromise, or lateral movement would find this trivial to exploit at scale. The CVSS 10.0 rating reflects maximum exploitability: no barriers exist in default deployments. Likelihood of wild exploitation is high given the ease of discovery (default ports, public advisory) and the value of downstream Pinot data (analytics, financial, customer data). Organizations running mcp-pinot in development, CI/CD, or analytics pipelines are at heightened risk and should prioritize patching immediately.
Sources