CVE-2026-25650
Published: 06 February 2026
Summary
CVE-2026-25650 is a medium-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability in Smn2Gnt Mcp Salesforce Connector. Its CVSS base score is 6.6 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 5.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
This vulnerability is AI-related — categorised as AI Agent Protocols and Integrations; in the Privacy and Disclosure risk domain.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-25650 is an information disclosure vulnerability in the MCP Salesforce Connector, a Model Context Protocol (MCP) server implementation designed for Salesforce integration. Versions prior to 0.1.10 suffer from arbitrary attribute access, which enables attackers to extract the Salesforce authentication token. The issue is classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) and carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).
The vulnerability can be exploited remotely over the network by unauthenticated attackers with low complexity and no user interaction required. Successful exploitation results in high confidentiality impact through disclosure of the Salesforce auth token, potentially granting attackers unauthorized access to Salesforce instances and associated data.
Mitigation is available in MCP Salesforce Connector version 0.1.10, which addresses the arbitrary attribute access flaw. Security advisories recommend immediate upgrades to this patched release. Key resources include the fixing commit (https://github.com/smn2gnt/MCP-Salesforce/commit/a1e3a5a786f48508d066b6d40b58201ebf9b7fd6), the v0.1.10 release notes (https://github.com/smn2gnt/MCP-Salesforce/releases/tag/v0.1.10), and the GitHub security advisory (https://github.com/smn2gnt/MCP-Salesforce/security/advisories/GHSA-vf6j-c56p-cq58).
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-5627
Vulnerability details
MCP Salesforce Connector is a Model Context Protocol (MCP) server implementation for Salesforce integration. Prior to 0.1.10, arbitrary attribute access leads to disclosure of Salesforce auth token. This vulnerability is fixed in 0.1.10.
- CWE(s)
AI Security AnalysisAI
- AI Category
- AI Agent Protocols and Integrations
- Risk Domain
- Privacy and Disclosure
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: mcp, model context protocol
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated exploitation of public-facing MCP connector (T1190) directly enables extraction of Salesforce application access token (T1528).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires timely flaw remediation through patching the MCP Salesforce Connector to version 0.1.10, directly eliminating the arbitrary attribute access vulnerability.
Enforces approved authorizations for logical access to system resources, preventing arbitrary unauthorized access to sensitive attributes like the Salesforce auth token.
Limits access privileges to the minimum necessary, reducing the risk of Salesforce auth token exposure even if primary access enforcement mechanisms are flawed.