Home

Description

MCP Salesforce Connector is a Model Context Protocol (MCP) server implementation for Salesforce integration. Prior to 0.1.10, arbitrary attribute access leads to disclosure of Salesforce auth token. This vulnerability is fixed in 0.1.10.

PUBLISHED Reserved 2026-02-04 | Published 2026-02-06 | Updated 2026-02-09 | Assigner GitHub_M




MEDIUM: 6.6CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U

Problem types

CWE-200: Exposure of Sensitive Information to an Unauthorized Actor

Product status

< 0.1.10
affected

References

github.com/...sforce/security/advisories/GHSA-vf6j-c56p-cq58

github.com/...ommit/a1e3a5a786f48508d066b6d40b58201ebf9b7fd6

github.com/smn2gnt/MCP-Salesforce/releases/tag/v0.1.10

cve.org (CVE-2026-25650)

nvd.nist.gov (CVE-2026-25650)

Download JSON