MCP Salesforce Connector has arbitrary attribute access which leads to...

6.6 / 10

MEDIUM

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U

Description

MCP Salesforce Connector is a Model Context Protocol (MCP) server implementation for Salesforce integration. Prior to 0.1.10, arbitrary attribute access leads to disclosure of Salesforce auth token. This vulnerability is fixed in 0.1.10.

Basic Information

ID CVE-2026-25650

Source GitHub_M

Published Feb 6, 2026 at 18:53

Affected Product

Vendor smn2gnt

Product MCP-Salesforce

Version < 0.1.10

Affected Versions smn2gnt MCP-Salesforce < 0.1.10

CWE Classification

CWE-200

References

{
    "lastseen": "",
    "description": "MCP Salesforce Connector is a Model Context Protocol (MCP) server implementation for Salesforce integration. Prior to 0.1.10, arbitrary attribute access leads to disclosure of Salesforce auth token. This vulnerability is fixed in 0.1.10.",
    "published": "2026-02-06T18:53:58.009Z",
    "modified": "2026-02-06T18:53:58.009Z",
    "type": "cve",
    "title": "MCP Salesforce Connector has arbitrary attribute access which leads to disclosure of Salesforce auth token",
    "source": "GitHub_M",
    "references": "https://github.com/smn2gnt/MCP-Salesforce/security/advisories/GHSA-vf6j-c56p-cq58\nhttps://github.com/smn2gnt/MCP-Salesforce/commit/a1e3a5a786f48508d066b6d40b58201ebf9b7fd6\nhttps://github.com/smn2gnt/MCP-Salesforce/releases/tag/v0.1.10",
    "id": "CVE-2026-25650",
    "bulletinFamily": "",
    "cwe": [
        "CWE-200"
    ],
    "cvelist": null,
    "sourceData": "smn2gnt MCP-Salesforce < 0.1.10",
    "sourceHref": "",
    "cvss": {
        "score": 6.6,
        "severity": "MEDIUM",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "MCP-Salesforce",
    "version": "< 0.1.10",
    "vendor": "smn2gnt",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

MCP Salesforce Connector has arbitrary attribute access which leads to disclosure of Salesforce auth token_CVE-2026-25650