What happened
mcp-pinot versions 3.0.1 and below default to running an HTTP MCP server bound to 0.0.0.0:8080 with no authentication. All MCP tools — including SQL query execution against Apache Pinot, schema creation, and table administration — are exposed without any access control to any network-reachable client. The issue was published to NVD on June 18, 2026 with a CVSS score of 10.0 (Critical). A fix was committed to the repository.
Why it matters
MCP servers are the tool-execution layer for AI agents. An unauthenticated, internet-exposed MCP server allows any attacker to directly invoke the agent's tools — in this case arbitrary SQL queries against Apache Pinot, schema manipulation, and data exfiltration — without needing to compromise any AI model or agent orchestrator. This is a complete authentication bypass on an AI agent's real-world action surface.
Attack vector
Attacker sends unauthenticated HTTP requests to port 8080 on any network-reachable mcp-pinot deployment, invoking MCP tools including arbitrary SQL queries, schema creation, and table operations against the connected Apache Pinot cluster.
Affected systems
mcp-pinot ≤ 3.0.1 (Python-based MCP server for Apache Pinot)
Mitigation
Update to mcp-pinot > 3.0.1. Apply network-level controls to restrict access to port 8080. See fix commit: https://github.com/startreedata/mcp-pinot/commit/1c7d3f9cd384854bf72c127d230bdb32299475ad