CVE-2026-49257 Splunk · SPL

Detect CVE-2026-49257: mcp-pinot Unauthenticated Tool Invocation via Default oauth_enabled=False in Splunk

Detects exploitation of CVE-2026-49257, a critical authentication bypass in mcp-pinot-server (<=3.0.1). The server defaults to oauth_enabled=False and binds to 0.0.0.0, allowing any network-adjacent or internet-facing attacker to invoke MCP tools without authentication. CVSS 10.0 with public PoC available.

MITRE ATT&CK

Tactic
Initial Access Privilege Escalation Exfiltration

SPL Detection Query

Splunk (SPL)
spl 
index=* sourcetype IN ("access_log", "nginx_access", "apache_access", "uvicorn", "python:app") 
| where match(_raw, "(?i)(mcp.pinot|mcp_pinot|/tools/|/invoke|/call)")
| rex field=_raw "\"(?P<http_method>GET|POST|PUT|DELETE|PATCH) (?P<uri_path>/[^\"]+)\""
| rex field=_raw "Authorization: (?P<auth_header>[^\r\n]+)"
| where isnull(auth_header) OR auth_header=""
| where http_method="POST" AND (match(uri_path, "/tools/") OR match(uri_path, "/invoke") OR match(uri_path, "/call"))
| stats count AS unauthenticated_invocations, values(uri_path) AS paths, values(src_ip) AS source_ips BY host
| where unauthenticated_invocations > 0
| sort -unauthenticated_invocations
critical severity medium confidence

Searches HTTP access logs for POST requests to mcp-pinot tool invocation endpoints lacking an Authorization header, identifying potential unauthenticated exploitation of CVE-2026-49257.

Data Sources

HTTP access logsApplication logsPython ASGI server logs

Required Sourcetypes

access_lognginx_accessapache_accessuvicornpython:app

False Positives & Tuning

  • Internal microservice mesh calls where mTLS replaces bearer token auth
  • Automated integration test suites running against non-production instances
  • Monitoring agents issuing unauthenticated health probes
  • Misconfigured reverse proxies stripping Authorization headers before logging

Other platforms for CVE-2026-49257

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Verify Unauthenticated MCP Tool Listing

    Expected signal: HTTP 200 response with JSON list of available Pinot MCP tools returned without any authentication challenge; no 401 or 403 status code issued.

  2. Test 2Unauthenticated Pinot Query Execution via MCP Tool

    Expected signal: Pinot query execution log entry showing query 'SELECT * FROM myTable LIMIT 10' from MCP server without session token; HTTP 200 from mcp-pinot-server with query results in response body.

  3. Test 3External Network Exploitation Simulation

    Expected signal: Inbound TCP connection from external IP to port 8000; HTTP POST to /tools/list and /tools/call with source IP from outside trusted ranges; no TLS client certificate or Authorization header present.

  4. Test 4Confirm Vulnerable Package Version in Environment

    Expected signal: Command execution events showing pip, find, and ps commands with mcp-pinot arguments; output revealing package version <= 3.0.1 and running process details.

Last updated: 2026-06-27 Research depth: standard
References (6)

Unlock Pro Content

Get the full detection package for CVE-2026-49257 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0001Initial AccessTA0004Privilege EscalationTA0010Exfiltration

Related Techniques

T1190Exploit Public-Facing ApplicationT1059.006PythonT1041Exfiltration Over C2 Channel

Same Tactic: Initial Access

Popular Detections