CVE-2026-25650 is a vulnerability identified in the MCP-Salesforce Connector, a server implementation that integrates Salesforce with other systems using the Model Context Protocol (MCP). Versions prior to 0.1.10 suffer from an arbitrary attribute access flaw that allows unauthorized actors to retrieve sensitive information, specifically Salesforce authentication tokens. These tokens are critical credentials that grant access to Salesforce APIs and data. The vulnerability is classified under CWE-200, indicating exposure of sensitive information to unauthorized parties. The root cause is insufficient access control on attribute retrieval within the MCP server, permitting attackers to query and obtain authentication tokens without any authentication, privileges, or user interaction. This flaw can lead to unauthorized access to Salesforce environments, potentially resulting in data breaches, unauthorized data manipulation, or lateral movement within enterprise networks. The vulnerability has a CVSS 4.0 base score of 6.6, reflecting its network attack vector, low attack complexity, and no required privileges or user interaction, but limited impact on integrity and availability. The issue was publicly disclosed on February 6, 2026, and fixed in version 0.1.10 of the MCP-Salesforce Connector. No known exploits have been reported in the wild to date. Organizations using affected versions should urgently upgrade to the patched release and review their Salesforce integration security controls.

For European organizations, the exposure of Salesforce authentication tokens can have severe consequences. Salesforce often contains sensitive customer data, financial information, and business-critical workflows. Unauthorized access via leaked tokens can lead to data exfiltration, unauthorized data modification, and disruption of business processes. This can result in regulatory non-compliance, especially under GDPR, leading to legal penalties and reputational damage. Enterprises relying on MCP-Salesforce for integration may face increased risk of lateral movement by attackers within their networks if tokens are compromised. The medium severity rating reflects that while the vulnerability does not directly impact system integrity or availability, the confidentiality breach of authentication tokens can facilitate broader attacks. Organizations with extensive Salesforce deployments or those in regulated sectors such as finance, healthcare, and telecommunications are particularly vulnerable. The lack of required privileges or user interaction makes exploitation easier, increasing the risk profile.

1. Immediate upgrade to MCP-Salesforce Connector version 0.1.10 or later to apply the official fix. 2. Implement strict network segmentation and firewall rules to limit access to MCP-Salesforce servers only to trusted internal systems. 3. Enforce least privilege principles on systems and users interacting with MCP-Salesforce to minimize token exposure. 4. Monitor logs and network traffic for unusual access patterns or attribute queries indicative of exploitation attempts. 5. Rotate Salesforce authentication tokens and credentials used by MCP-Salesforce integrations after patching to invalidate any potentially compromised tokens. 6. Conduct regular security audits and penetration testing focused on integration points between MCP-Salesforce and Salesforce environments. 7. Educate development and operations teams about secure handling of authentication tokens and the importance of timely patching. 8. Consider implementing additional application-layer access controls or token encryption to reduce risk of token leakage in future deployments.