Cyber Resilience

CVE-2026-25650

Medium

Published: 06 February 2026

Published
06 February 2026
Modified
24 February 2026
KEV Added
Patch
CVSS Score v4 6.6 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0002 5.0th percentile
Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-25650 is a medium-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability in Smn2Gnt Mcp Salesforce Connector. Its CVSS base score is 6.6 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 5.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

This vulnerability is AI-related — categorised as AI Agent Protocols and Integrations; in the Privacy and Disclosure risk domain.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-25650 is an information disclosure vulnerability in the MCP Salesforce Connector, a Model Context Protocol (MCP) server implementation designed for Salesforce integration. Versions prior to 0.1.10 suffer from arbitrary attribute access, which enables attackers to extract the Salesforce authentication token. The issue is classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) and carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

The vulnerability can be exploited remotely over the network by unauthenticated attackers with low complexity and no user interaction required. Successful exploitation results in high confidentiality impact through disclosure of the Salesforce auth token, potentially granting attackers unauthorized access to Salesforce instances and associated data.

Mitigation is available in MCP Salesforce Connector version 0.1.10, which addresses the arbitrary attribute access flaw. Security advisories recommend immediate upgrades to this patched release. Key resources include the fixing commit (https://github.com/smn2gnt/MCP-Salesforce/commit/a1e3a5a786f48508d066b6d40b58201ebf9b7fd6), the v0.1.10 release notes (https://github.com/smn2gnt/MCP-Salesforce/releases/tag/v0.1.10), and the GitHub security advisory (https://github.com/smn2gnt/MCP-Salesforce/security/advisories/GHSA-vf6j-c56p-cq58).

EU & UK References

Vulnerability details

MCP Salesforce Connector is a Model Context Protocol (MCP) server implementation for Salesforce integration. Prior to 0.1.10, arbitrary attribute access leads to disclosure of Salesforce auth token. This vulnerability is fixed in 0.1.10.

CWE(s)

AI Security AnalysisAI

AI Category
AI Agent Protocols and Integrations
Risk Domain
Privacy and Disclosure
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: mcp, model context protocol

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1528 Steal Application Access Token Credential Access
Adversaries can steal application access tokens as a means of acquiring credentials to access remote systems and resources.
Why these techniques?

Remote unauthenticated exploitation of public-facing MCP connector (T1190) directly enables extraction of Salesforce application access token (T1528).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-11749Shared CWE-200
CVE-2026-26069Shared CWE-200
CVE-2024-13796Shared CWE-200
CVE-2025-25975Shared CWE-200
CVE-2024-12142Shared CWE-200
CVE-2025-25951Shared CWE-200
CVE-2025-15103Shared CWE-200
CVE-2026-34297Shared CWE-200
CVE-2024-26480Shared CWE-200
CVE-2026-24498Shared CWE-200

Affected Assets

smn2gnt
mcp salesforce connector
≤ 0.1.10

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires timely flaw remediation through patching the MCP Salesforce Connector to version 0.1.10, directly eliminating the arbitrary attribute access vulnerability.

prevent

Enforces approved authorizations for logical access to system resources, preventing arbitrary unauthorized access to sensitive attributes like the Salesforce auth token.

prevent

Limits access privileges to the minimum necessary, reducing the risk of Salesforce auth token exposure even if primary access enforcement mechanisms are flawed.

References