Detect CVE-2026-49257: mcp-pinot Unauthenticated Tool Invocation via Default oauth_enabled=False in Google Chronicle
Detects exploitation of CVE-2026-49257, a critical authentication bypass in mcp-pinot-server (<=3.0.1). The server defaults to oauth_enabled=False and binds to 0.0.0.0, allowing any network-adjacent or internet-facing attacker to invoke MCP tools without authentication. CVSS 10.0 with public PoC available.
MITRE ATT&CK
YARA-L Detection Query
rule cve_2026_49257_mcp_pinot_unauth_invocation {
meta:
author = "df00tech Detection Platform"
description = "Detects unauthenticated tool invocation against mcp-pinot-server (CVE-2026-49257)"
severity = "CRITICAL"
reference = "https://github.com/startreedata/mcp-pinot/security/advisories/GHSA-73cv-556c-w3g6"
events:
$e.metadata.event_type = "NETWORK_HTTP"
$e.network.http.method = "POST"
(
$e.network.http.target_url = /\/tools\// or
$e.network.http.target_url = /\/invoke/ or
$e.network.http.target_url = /\/call/
)
not $e.network.http.request_headers["authorization"] != ""
(
$e.target.port = 8000 or
$e.target.port = 8080 or
$e.target.port = 9000 or
$e.target.port = 3000
)
(
$e.principal.process.command_line = /mcp.?pinot/ or
$e.target.hostname = /mcp.?pinot/
)
condition:
$e
}Chronicle YARA-L rule detecting HTTP POST requests to mcp-pinot tool invocation endpoints without Authorization headers on common MCP server ports, matching CVE-2026-49257 exploitation patterns.
Data Sources
Required Tables
False Positives & Tuning
- Internal GCP service-to-service calls authenticated via IAM rather than bearer tokens
- Log sources not capturing HTTP request header details in UDM
- Development environments with authentication intentionally disabled
- Proxy infrastructure stripping auth headers before ingestion into Chronicle
Other platforms for CVE-2026-49257
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Verify Unauthenticated MCP Tool Listing
Expected signal: HTTP 200 response with JSON list of available Pinot MCP tools returned without any authentication challenge; no 401 or 403 status code issued.
- Test 2Unauthenticated Pinot Query Execution via MCP Tool
Expected signal: Pinot query execution log entry showing query 'SELECT * FROM myTable LIMIT 10' from MCP server without session token; HTTP 200 from mcp-pinot-server with query results in response body.
- Test 3External Network Exploitation Simulation
Expected signal: Inbound TCP connection from external IP to port 8000; HTTP POST to /tools/list and /tools/call with source IP from outside trusted ranges; no TLS client certificate or Authorization header present.
- Test 4Confirm Vulnerable Package Version in Environment
Expected signal: Command execution events showing pip, find, and ps commands with mcp-pinot arguments; output revealing package version <= 3.0.1 and running process details.
References (6)
- https://github.com/startreedata/mcp-pinot/security/advisories/GHSA-73cv-556c-w3g6
- https://nvd.nist.gov/vuln/detail/CVE-2026-49257
- https://github.com/startreedata/mcp-pinot/issues/90
- https://github.com/startreedata/mcp-pinot/pull/95
- https://github.com/startreedata/mcp-pinot/commit/1c7d3f9cd384854bf72c127d230bdb32299475ad
- https://github.com/advisories/GHSA-73cv-556c-w3g6
Unlock Pro Content
Get the full detection package for CVE-2026-49257 including response playbook, investigation guide, and atomic red team tests.