CRITICAL
GHSASUPPLY-CHAINCVE-2026-55837LLM01: Insecure Direct Object ReferenceAML.T0051
dbt MCP Server: Unauthenticated OAuth Context Endpoint Leaks dbt Platform Tokens
dbt platform tokens leaked due to unauthenticated endpoint
6 CRIT · 1 LOW · THREAT RED · 7 items · Generated in 188s
dbt platform tokens leaked due to unauthenticated endpoint
Unescaped locator data XSS in MCP-UI Resource allows attackers to inject arbitrary HTML and JavaScript, leading to unauthorized tool execution.
MCP server vulnerable to DNS-resolved Private Hostname SSRF, allowing exfiltration of sensitive data
unbounded memory and CPU consumption due to bypassed URL size limit check
Unauthenticated HTTP server and lack of DNS-rebinding protection
Unsanitized interpolation of attacker-influenceable tool parameters into shell command strings allows arbitrary OS command execution with user privileges.
Exposes Uni-CLI to local attacks if legacy HTTP transport is used without proper validation
No new AI-centered threat headlines found.