CVE-2026-31841: CVE-2026-31841: Raw Database Statement Exposure in Hyperterse MCP Search Tool

Source: Dev.to

Vulnerability ID: CVE-2026-31841
CVSS Score: 6.5 (Medium)
Published: 2026-03-12

Hyperterse versions 2.0.0 through 2.1.9 expose raw SQL statements via the Model Context Protocol (MCP) search tool. The tool returns internal representations without sanitization, leaking database schema details, table structures, and query logic.

TL;DR

Hyperterse = 2.0.0, < 2.2.0(fixed in2.2.0`)

Code Analysis

• Commit: 1fdb947 – Removes the raw statement field from the search hit map.
• Commit: efa4005 – Hardened the search index by restricting statement indexing to adapter‑backed tools.

Mitigation Strategies

• Upgrade to Hyperterse 2.2.0 or later.
• Apply the principle of least privilege to the database service account.
• Manually sanitize tool definitions if patching is not immediately possible.
• Prefer handler‑only tools over SQL adapters for sensitive endpoints.

Remediation Steps

1. Identify all deployments running Hyperterse MCP versions 2.0.0 – 2.1.9.
2. Download the 2.2.0 binaries or update the dependency via your package manager.
3. Restart the Hyperterse MCP server to load the updated runtime.
4. Verify the fix by sending a callTool request to the search endpoint and confirming that the statement field is absent from the JSON response.

References

• GHSA‑92gp‑jfgx‑9qpv
• Hyperterse v2.2.0 Release Notes
• Fix Commit: Direct Field Removal
• Fix Commit: Search Index Hardening
• CVE‑2026‑31841 Official Record