CVE-2026-49257

CVE-2026-49257: mcp-pinot Unauthenticated Tool Invocation via Default oauth_enabled=False

Initial Access Privilege Escalation Exfiltration Last updated:

Detects exploitation of CVE-2026-49257, a critical authentication bypass in mcp-pinot-server (<=3.0.1). The server defaults to oauth_enabled=False and binds to 0.0.0.0, allowing any network-adjacent or internet-facing attacker to invoke MCP tools without authentication. CVSS 10.0 with public PoC available.

Vulnerability Intelligence

Public PoC

Affected Software

Vendor
pip
Product
mcp-pinot-server
Versions
<= 3.0.1

Weakness (CWE)

CWE-306

Timeline

Disclosed
June 26, 2026

CVSS

10.0
Critical (9.0–10)
Read the write-up →

What is CVE-2026-49257 CVE-2026-49257: mcp-pinot Unauthenticated Tool Invocation via Default oauth_enabled=False?

CVE-2026-49257: mcp-pinot Unauthenticated Tool Invocation via Default oauth_enabled=False (CVE-2026-49257) maps to the Initial Access and Privilege Escalation and Exfiltration tactics — the adversary is trying to get into your network in MITRE ATT&CK.

This page provides production-ready detection logic for CVE-2026-49257: mcp-pinot Unauthenticated Tool Invocation via Default oauth_enabled=False, covering the data sources and telemetry it touches: DeviceNetworkEvents, CommonSecurityLog, AzureActivity. The queries below are rated critical severity at medium confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.

MITRE ATT&CK

Tactic
Initial Access Privilege Escalation Exfiltration
Microsoft Sentinel / Defender
kusto 
union DeviceNetworkEvents, CommonSecurityLog
| where TimeGenerated > ago(24h)
| where DestinationPort in (8000, 8080, 8443, 9000, 3000)
| where (ProcessCommandLine has "mcp-pinot" or ProcessCommandLine has "mcp_pinot" or ProcessCommandLine has "uvicorn" or ProcessCommandLine has "fastapi")
| where not (InitiatingProcessAccountName in ("serviceaccount", "mcp-service"))
| extend AuthHeader = extract("Authorization: (\\S+)", 1, AdditionalExtensions)
| where isempty(AuthHeader) or AuthHeader == ""
| project TimeGenerated, DeviceName, RemoteIP, DestinationPort, ProcessCommandLine, InitiatingProcessAccountName, AuthHeader
| order by TimeGenerated desc

Detects inbound HTTP connections to mcp-pinot-server processes on common MCP ports without an Authorization header, indicating unauthenticated tool invocation attempts consistent with CVE-2026-49257 exploitation.

critical severity medium confidence

Data Sources

DeviceNetworkEvents CommonSecurityLog AzureActivity

Required Tables

DeviceNetworkEvents CommonSecurityLog

False Positives

  • Internal service-to-service calls on trusted networks where authentication is handled at the network layer
  • Health check endpoints or monitoring probes that do not send auth headers
  • Development or staging environments where oauth_enabled is intentionally False
  • Load balancer health checks hitting the MCP server directly

Sigma rule & cross-platform mapping

The detection logic for CVE-2026-49257: mcp-pinot Unauthenticated Tool Invocation via Default oauth_enabled=False (CVE-2026-49257) above is provided in a vendor-neutral form so you can deploy it on any SIEM. The same logic is shipped here as native KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the following logsource: 

logsource:
  category: network_connection
  product: windows

Browse the community-maintained Sigma rules for this technique:

SigmaHQ rules for CVE-2026-49257 Sigma rules on detection.fyi

Platform-specific guides for CVE-2026-49257

Detect in Microsoft Sentinel (KQL) Detect in Splunk (SPL) Detect in Elastic Security (Elastic) Detect in IBM QRadar (QRadar) Detect in Sumo Logic CSE (Sumo) Detect in Google Chronicle (YARA-L) Detect in CrowdStrike LogScale (LogScale)
Last updated: 2026-06-27 Research depth: standard
References (6)

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Verify Unauthenticated MCP Tool Listing

    Expected signal: HTTP 200 response with JSON list of available Pinot MCP tools returned without any authentication challenge; no 401 or 403 status code issued.

  2. Test 2Unauthenticated Pinot Query Execution via MCP Tool

    Expected signal: Pinot query execution log entry showing query 'SELECT * FROM myTable LIMIT 10' from MCP server without session token; HTTP 200 from mcp-pinot-server with query results in response body.

  3. Test 3External Network Exploitation Simulation

    Expected signal: Inbound TCP connection from external IP to port 8000; HTTP POST to /tools/list and /tools/call with source IP from outside trusted ranges; no TLS client certificate or Authorization header present.

  4. Test 4Confirm Vulnerable Package Version in Environment

    Expected signal: Command execution events showing pip, find, and ps commands with mcp-pinot arguments; output revealing package version <= 3.0.1 and running process details.

Unlock Pro Content

Get the full detection package for CVE-2026-49257 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0001Initial AccessTA0004Privilege EscalationTA0010Exfiltration

Related Techniques

T1190Exploit Public-Facing ApplicationT1059.006PythonT1041Exfiltration Over C2 Channel

Same Tactic: Initial Access

Popular Detections