CVE-2026-31841: Raw Database Statement Exposure in Hyperterse MCP Search Tool

Hyperterse operates as a Model Context Protocol (MCP) server, bridging artificial intelligence agents with internal backend surfaces. The framework exposes a discrete set of tools that Large Language Models (LLMs) can discover and invoke via natural language. Prior to version 2.2.0, the framework contained a medium-severity information disclosure vulnerability (CVE-2026-31841) within this tool discovery mechanism.

The vulnerability is classified as CWE-433 (Unparsed Raw Web Content Delivery). The system returns internal database queries directly to the client interface without appropriate sanitization or filtering. This defect resides specifically within the search capability, which is responsible for returning available tool schemas to the querying agent based on semantic relevance.

By invoking the search tool, any authenticated or unauthenticated client capable of interacting with the MCP surface receives extensive metadata about the backend operations. The exposed data includes exact SQL query templates, revealing the underlying table names, column structures, and relational mapping parameters utilized by the framework's SQL adapters.

The root cause lies in the handling of internal Tool object serialization within the MCP server's search functionality. When a client issues a query via the search tool, the Hyperterse backend queries its internal index to locate relevant operational capabilities. These internal representations contain comprehensive metadata, including a Statement field that stores the raw SQL query template (e.g., SELECT * FROM users WHERE id = {{ inputs.userId }}) associated with the tool.

The application code in core/runtime/mcp/mcp.go lacked an output sanitization layer during the construction of the JSON response payload. The callSearchTool function iterated over the search index hits and directly appended the unredacted Tool.Statement field into the final response map. This architectural oversight resulted in internal implementation details being broadcast across the API boundary.

Furthermore, the framework's indexing logic in core/runtime/mcp/search_index.go aggressively indexed all tool statements regardless of their execution context. Even handler-only tools, which execute custom scripts rather than database adapters, had their synthetic placeholder statements injected into the searchable index. This maximized the surface area for exposure, ensuring that almost any search operation would leak internal statement strings back to the requester.

The remediation for this vulnerability required targeted modifications across the MCP response routing and the search indexing systems. The primary fix was implemented in commit 1fdb9479be0bf87fed24f8553839a3d8b0723f4a. The developers modified the callSearchTool function in core/runtime/mcp/mcp.go to explicitly remove the statement field from the mapped search results.

// core/runtime/mcp/mcp.go (Vulnerable & Patched)
 func (a *Adapter) callSearchTool(ctx context.Context, req *mcpsdk.CallToolRequest) ...
 	for _, hit := range hits {
 		results = append(results, map[string]interface{}{
 			"name":              hit.Tool.Name,
 			relevanceScoreField: hit.RelevanceScore,
 			"description":       hit.Tool.Description,
- 			"statement":         hit.Tool.Statement, // Vulnerable line removed
 			"inputs":            buildInputMetadata(hit.Tool),
 		})
 	}

A secondary hardening measure was introduced via commit efa400591bd8748cc849bae37c6e9b55e0f45b20 to address the internal indexing behavior. The newToolSearchIndex function in core/runtime/mcp/search_index.go was updated to conditionally evaluate whether a statement should be indexed at all.

// core/runtime/mcp/search_index.go (Patched)
 func newToolSearchIndex(tools []*hyperterse.Tool) *toolSearchIndex {
     ...
-    statementText := normalizeText(tool.Statement)
+    statementText := ""
+    if len(tool.Use) > 0 { // Restrict indexing to adapter-backed tools
+        statementText = normalizeText(tool.Statement)
+    }
     ...
 }

This secondary patch ensures that synthetic statements from handler-only tools are excluded from the index entirely, narrowing the data footprint stored in memory. The combination of these two commits fully resolves the unparsed raw web content delivery issue by cutting off the leak at the API boundary and restricting internal data processing.

Exploitation requires the attacker to have network access to the Hyperterse MCP endpoint and the ability to send callTool requests. The attack sequence begins with the adversary crafting a standard MCP request targeting the internal search tool. The payload utilizes a broad natural language query string designed to trigger multiple matches within the backend index.

Upon receiving the request, the Hyperterse server processes the semantic search and constructs a JSON response array. In vulnerable versions, the application serializes the raw Statement field for each matched tool. The attacker intercepts or parses this JSON payload to extract the SQL strings. A typical leaked statement reveals critical structure: SELECT user_id, email, password_hash FROM core_users WHERE email = {{ inputs.email }}.

With this structural knowledge, the attacker maps the entire database schema without needing an initial blind SQL injection vector. The gathered intelligence acts as a foundational reconnaissance phase. The attacker subsequently leverages the discovered table structures and column naming conventions to craft highly specific logic bypass payloads against the framework's executable tools.

The CVSS v3.1 base score for CVE-2026-31841 is 6.5, reflecting a medium severity rating. The primary impact is constrained to a partial loss of confidentiality (C:L). While the vulnerability does not directly expose user data records, it systematically leaks the architectural blueprints of the backend database. This structural exposure includes table designations, column schemas, and parameterized variable mappings.

The vulnerability also carries a partial integrity impact rating (I:L). The framework operates by executing tools that interface directly with the database. Exposing the exact query syntax provides an attacker with the exact template required to manipulate input parameters effectively. This directly aids in the construction of subsequent attacks, significantly reducing the complexity required to achieve unauthorized data modification or logical bypasses.

The vulnerability does not affect system availability (A:N), as the search queries perform read-only index lookups that do not consume excessive resources or crash the daemon. The attack vector is strictly network-based (AV:N) and requires no special privileges (PR:N) or user interaction (UI:N), making it highly reliable and automated across large-scale scanning operations.

The vendor provides an official patch in Hyperterse version 2.2.0. Administrators must upgrade the framework binaries and redeploy the affected MCP server components immediately. Following the upgrade, a review of the API traffic logs is recommended to identify any prior anomalous usage of the search tool that resulted in large payload responses.

If immediate patching is technically infeasible, organizations can implement interim configuration hardening. Administrators should review the declarative tool definitions and manually sanitize the Statement fields, utilizing handler-only script-backed tools instead of the SQL adapter for operations handling highly sensitive data structures. This prevents the raw schema from residing in the vulnerable configuration struct entirely.

Organizations must also enforce the Principle of Least Privilege at the database layer. The service account credential utilized by the Hyperterse backend adapter must be restricted to minimal permissions. The database user must only possess SELECT, INSERT, or UPDATE rights on the specific tables required for operation, preventing lateral movement or database-wide enumeration if the exposed schema facilitates a secondary SQL injection vector.