SecurityOn May 13, 2026, security teams woke up to 120 new CVEs from Microsoft’s May Patch Tuesday cycle. Two scored 10.0. One scored 9.9. One scored 9.8. The Cisco SD-WAN disclosure the following day added another CVSS 10.0 with confirmed active exploitation. For the defenders trying to sequence this work, last week was the heaviest single patch cycle of the year so far.
Somewhere in that triage queue: CVE-2026-44970. CVSS 3.1.
CVE-2026-44970 affects dbt MCP Server version 1.15.1 and earlier. dbt is a SQL transformation tool widely used in data engineering; its MCP server bridges AI model interactions to the dbt CLI for AI-assisted analytics workflows. The vulnerability does not require an attacker. No exploit code, no network delivery, no privilege escalation chain. What it does is simpler: dbt MCP’s default telemetry configuration captures every MCP tool call argument and transmits it to dbt Labs telemetry endpoints. Every one. That includes raw SQL queries. That includes the --vars flags that dbt users pass at runtime, which is where database connection strings and credentials live. The transmission happens by default, without user notice, with no opt-out in the default configuration. The data exits the organization’s control the moment a developer invokes the tool.
The CVSS score of 3.1 is technically defensible. CVSS measures technical exploitability and impact severity on a vulnerable system. CVE-2026-44970 describes an architectural decision, not an exploit. No attacker is required. The scorer correctly identified that there is no buffer overflow, no code execution, no privilege escalation. By the criteria CVSS was designed to measure, this is a low-severity item.
This is exactly the problem.
The Metric Measures the Wrong Thing
CVSS was designed in 2004 to give organizations a consistent, reproducible measure of technical vulnerability severity. It does that reasonably well for the vulnerability class it was built around: a remote attacker exploiting a flaw in software to gain unauthorized access or execute code. What it was not designed to measure is the operational consequence of sustained, silent, authorized data exfiltration to a third-party endpoint. The CVSS framework has no field for “third-party data destination.” It has no criterion for “sensitivity of the data category being captured.” These gaps did not matter much in 2004. Developer tools did not collect telemetry by default. The attack surface they describe did not exist at scale.
In 2026, the gap between what CVSS measures and what organizations need to know has widened significantly. Developer and AI tooling routinely transmits usage data to vendors as a default configuration choice. The telemetry is typically described as “product analytics” or “usage statistics.” What that framing omits is that the tools capturing these analytics sit in environments where the tool call arguments, the invocation parameters, and the operational context are themselves sensitive data. dbt is a database tool. The things you pass to a database tool are database queries and database credentials. A telemetry system that captures “tool call arguments” in a database tool is capturing database queries and database credentials.
The CVSS score does not know this. It looks at the technical mechanism and correctly identifies that no exploit exists. It does not know what kind of tool is generating the arguments, or what those arguments contain, or what the operational consequence is of transmitting them to a vendor endpoint over the lifespan of a deployed analytics workflow.
Security teams using CVSS as their primary triage mechanism will address CVE-2026-44970 after the 9.x and 8.x items. In a week where two CVSS 10.0 vulnerabilities and a zero-day Exchange server flaw (CVE-2026-42897, no permanent patch available, active exploitation confirmed) are all demanding immediate action, a 3.1 is realistically deprioritized until the next sprint at best, or indefinitely at worst. In the meantime, every dbt MCP Server installation at the affected version continues transmitting its telemetry payload.
CVE-2026-44970 Is Not Unique
The same manual source code review that found CVE-2026-44970 found CVE-2026-44968 simultaneously: an argument injection flaw in the same tool, allowing arbitrary dbt CLI flag injection via unsanitized node_selection and resource_type parameters. CVE-2026-44968 scored CVSS 6.3. It will be triaged and patched well ahead of the telemetry issue, because the score says to do it in that order. The argument injection flaw enabling command execution in any environment with dbt installed receives more operational urgency than the telemetry flaw already exfiltrating credentials in production.
CVE-2026-44970 is an extreme example, but it is not isolated. Open WebUI released more than ten CVEs in this same reporting week, including multiple vulnerabilities scored at CVSS 3.x that allow any authenticated user to read admin-configured system prompts. In enterprise AI deployments, those prompts frequently contain confidential business logic, vendor connection parameters, and operational instructions that constitute sensitive intellectual property. CVSS scores those disclosures as low severity because a user reading a system prompt is technically a low-impact event. The business consequence of competitors or contractors reading your AI deployment’s operational instructions through a front-end exposure is not part of the calculation.
The AI Toolchain Compounds the Problem
The AI toolchain has introduced a new class of trust-based vulnerabilities that CVSS was not designed to evaluate, and it has introduced them at speed. This is the eighth consecutive week of new AI framework CVE disclosures tracked since W18. Across that run, the recurring structural failure is identical: AI tools bridge model output to shell execution, file systems, or network connections without treating that pathway as a security boundary. PraisonAI’s MCP server (CVE-2026-44336, CVSS 9.6) achieved remote code execution via an unsanitized path parameter that any experienced code reviewer would have caught in a first-pass audit. LiteLLM’s custom guardrail sandbox (CVE-2026-40217, CVSS 8.8) failed at bytecode manipulation documented in public Python security research. mlflow’s FastAPI auth middleware (CVE-2026-2652, CVSS 8.6) left authentication unenforced across all non-gateway routes.
The high-scoring items in that list will get attention. The trust-based items, where data exits without exploit, where the authorization is by design, where CVSS has nothing meaningful to measure, will not.
This is not a calibration failure in any individual CVE score. It is a structural gap in a measurement system the industry built for one class of vulnerabilities and is now applying to all of them.
Where This Goes
The AI telemetry problem will not self-correct. Developer tools adopting analytics as a default behavior have commercial incentives to maintain those defaults. CVSS has no mechanism to escalate a 3.1 because the captured data category is high-sensitivity. Organizations relying on CVSS-based triage will continue to sequence telemetry disclosures behind technical exploits, and the telemetry will continue to run.
The practical response requires adding a supplementary triage criterion: for any vulnerability described as telemetry behavior, default data transmission, or third-party data sharing, evaluate the sensitivity of the data category being captured independently of the CVSS score. CVE-2026-44970 requires upgrading dbt MCP Server past version 1.15.1 and auditing telemetry configuration. If that review waits until after the CVSS 9.x queue clears, it waits too long.
Longer term, the category requires a name. “By-design data exposure” or “trust-based exfiltration” captures the class: architecturally intended behaviors that transmit sensitive data to unauthorized destinations without a technical exploit in the chain. Until this class has a triage criterion distinct from CVSS-scored technical vulnerabilities, security teams will keep discovering them after the fact, which is to say after the credentials have already left.
The Exchange zero-day and the Cisco CVSS 10.0 deserve the urgent response they will receive this week. So does the quiet 3.1 that nobody will notice until an analytics dashboard somewhere shows data it should not have.
Security Unlocked publishes weekly threat intelligence and strategic analysis. This post is based on intelligence collected May 11 - May 17, 2026.