The discovery of three serious mcp vulnerabilities in widely used database servers has sent ripples through the cybersecurity community. A security researcher from Akamai uncovered flaws affecting Apache Doris, Apache Pinot, and Alibaba RDS, revealing that attackers could execute malicious SQL commands, steal sensitive metadata, or even take full control of exposed database instances. While two of these issues have seen some form of response, one vendor has chosen to leave its users exposed.
The Core Problem: MCP Security Gaps
Model Context Protocol, or MCP, was originally developed by Anthropic to serve as a bridge between large language models, AI agents, and external systems. Think of it as a universal translator that lets AI tools talk to databases, APIs, and other services. The protocol is open source and has gained traction among developers who want their AI agents to perform real-world actions, like running queries or fetching data.
However, these mcp vulnerabilities highlight a fundamental weakness: the security validation between the MCP server and its backend database is either missing or flawed. Security researcher Tomer Peled, who will present his findings at the x33fcon conference next month, warned that these gaps will become prime targets for attackers as adoption grows.
Flaw Number One: SQL Injection in Apache Doris MCP
The first vulnerability, tracked as CVE-2025-66335, affects the Apache Doris MCP Server. Apache Doris is a high-speed analytics database used by over 10,000 mid-sized and large enterprises. Its MCP server lets AI agents interact with Doris instances, performing tasks like running SQL queries or retrieving table metadata.
The problem lies in the exec_query function. When an MCP tool is called, this function fails to validate one of its five parameters: the db_name parameter. An attacker who gains access to a client connected to the Doris MCP server can inject malicious SQL code through this parameter. The injected code gets prepended to the beginning of the final SQL statement, and the SQL validator only checks the first portion of the query. This means the validator sees only the attacker’s directive, not the legitimate query that follows.
Apache issued a patch in December 2024, fixing the flaw in version 0.6.1 of the Doris MCP Server. Users running earlier versions should update immediately. The patch closes the injection vector by properly validating the db_name parameter before constructing the SQL query.
How This Vulnerability Works in Practice
Imagine an AI agent that helps a marketing team analyze customer data. The agent sends a request to the Doris MCP server to query a database named customer_data. If an attacker has compromised the client machine, they can modify the db_name parameter to include malicious SQL commands. Instead of customer_data, the parameter might read customer_data; DROP TABLE orders;. The SQL validator sees only customer_data and approves the query, but the database executes both commands, potentially deleting critical tables.
Flaw Number Two: Authentication Bypass in Apache Pinot MCP
The second mcp vulnerability affects Apache Pinot, another fast analytics database. The MCP integration for Pinot, developed by StarTree, allowed users to run queries directly from their AI agents against their Pinot instances. Versions before 2.0.0 used HTTP as the transport layer without requiring any authentication. This means any remote attacker who can reach the MCP endpoint can invoke MCP tools, including those used for SQL execution.
Peled described this as a serious risk: in environments where the MCP endpoint is reachable externally, unauthenticated attackers can execute queries against the Pinot instance. This can lead to a full remote takeover of the database. The attacker could read, modify, or delete any data stored in the Pinot database.
StarTree has since added OAuth as an authentication option when using HTTP transport. However, Peled notes that the SQL injection risk still exists in the code. The addition of OAuth reduces the threat but does not eliminate it entirely. Apache has also opened a security issue in the MCP Pinot GitHub repository, acknowledging the problem.
Pinot MCP versions 1.1.0 and earlier are affected. Users should upgrade to version 2.0.0 or later and enable OAuth authentication. Additionally, network administrators should ensure that MCP endpoints are not exposed to the public internet without proper access controls.
Real-World Scenario: An Exposed Pinot Endpoint
Consider a startup that uses Pinot for real-time analytics on user behavior. They set up the MCP integration to let their AI assistant generate reports. Without authentication, anyone who discovers the MCP endpoint URL can send queries. A malicious actor could run a query that extracts all user email addresses and passwords, or worse, drop the entire database. The startup would face a data breach and potentially lose all their analytics data.
Flaw Number Three: Information Disclosure in Alibaba RDS MCP
The third vulnerability is an information disclosure issue in the Alibaba RDS MCP server. Unlike the other two, this flaw has not been patched. Alibaba declined to fix it, according to Peled, who reported the issue to the company in November 2024.
The problem is that the Alibaba RDS MCP server does not authenticate users before invoking the RAG MCP tool. RAG stands for Retrieval-Augmented Generation, a technique that combines AI models with external data sources. Without authentication, any unauthenticated user can call the RAG MCP tool and exfiltrate sensitive metadata about the database configuration, table structures, and schema information.
Peled reported the issue to Alibaba, but the company responded that it was not applicable for a fix. Akamai then reported the inaction to CERT/CC, the Computer Emergency Response Team Coordination Center. All versions of Alibaba RDS MCP are affected by this information disclosure vulnerability.
You may also enjoy reading: 5 Dirty Frag Linux Exploits: Copy Fail Hits Every Distro.
Why This Matters for Alibaba Cloud Users
Metadata might sound harmless, but it is a goldmine for attackers. Knowing the database schema, table names, column types, and indexes allows an attacker to craft precise SQL injection attacks. It also reveals the structure of the application, making it easier to find other vulnerabilities. For businesses running sensitive workloads on Alibaba Cloud, this is a serious concern. The lack of authentication means that anyone who can reach the MCP endpoint can gather intelligence about the database without leaving a trace.
The Bigger Picture: MCP Security Is Still Evolving
These three mcp vulnerabilities point to a broader issue in the ecosystem. MCP is relatively new, and security best practices have not yet caught up with adoption. Developers are rushing to integrate AI agents with their databases, often overlooking basic security measures like input validation, authentication, and access control.
Peled emphasized that these gaps will become high-value targets for attackers. As more organizations deploy MCP servers, the attack surface grows. The protocol itself is not inherently insecure, but the implementations often are. Developers need to treat MCP servers as critical infrastructure, not as experimental add-ons.
Practical Steps for Protecting Your MCP Deployments
If you are using MCP servers in your environment, here are actionable steps to reduce risk:
- Update all MCP server software to the latest versions. For Apache Doris, upgrade to version 0.6.1 or later. For Apache Pinot, upgrade to version 2.0.0 or later and enable OAuth authentication.
- Never expose MCP endpoints to the public internet without authentication. Use VPNs, firewalls, or cloud security groups to restrict access.
- Implement input validation on all parameters passed to MCP tools. Even if the vendor has patched known issues, custom validation adds a layer of defense.
- Monitor MCP server logs for unusual activity. Look for unexpected SQL queries, repeated failed authentication attempts, or requests from unknown IP addresses.
- Conduct regular security reviews of your MCP integrations. Treat them as you would any other critical API endpoint.
What Vendors Should Do Differently
The response from the three vendors highlights the inconsistency in handling mcp vulnerabilities. Apache acted quickly, issuing a patch and a CVE tracker for the Doris flaw. StarTree added authentication options for Pinot MCP. But Alibaba’s decision to leave its RDS MCP flaw unpatched sets a dangerous precedent.
Vendors should adopt a proactive stance. This means conducting security audits before releasing MCP servers, implementing authentication by default rather than as an optional feature, and establishing clear disclosure policies. When a researcher reports a vulnerability, the response should be swift and transparent. Ignoring the issue only puts users at risk.
Looking Ahead: The Future of MCP Security
The discovery of these three flaws is likely just the beginning. As MCP adoption grows, researchers will find more vulnerabilities. The protocol itself may need updates to include security features like mandatory authentication, parameterized queries, and rate limiting. The community should also develop standard security guidelines for MCP implementations.
For now, the best defense is awareness. Organizations using MCP should audit their deployments, apply available patches, and assume that unpatched vulnerabilities exist. The three flaws uncovered by Peled serve as a wake-up call for the entire AI ecosystem. Security cannot be an afterthought when AI agents are given direct access to production databases.
The coming months will likely see more disclosures and more patches. The hope is that vendors will learn from these incidents and prioritize security from the start. Until then, users must take responsibility for protecting their own systems.
