Skip to content
.ca
sign in
Work being done in the backend.
5 minhigh

One Is a Fluke, 3 Is a Pattern: MCP Back-End Vulnerabilities

Security researchers discovered critical vulnerabilities in three widely used Model Context Protocol (MCP) servers—Apache Doris, Apache Pinot, and Alibaba RDS—stemming from insufficient back-end security validation. These flaws include SQL injection (CVE-2025-66335), missing authentication, and unauthenticated data exposure, allowing attackers to execute arbitrary commands or exfiltrate sensitive database metadata.

Sens:ImmediateConf:highAnalyzed:2026-05-12Google

Authors: Tomer Peled

SQL InjectionUnauthenticated AccessCVE-2025-66335MCPAI Security

Source:Akamai

IOCs · 2
  • url
    /api/tools/callREST API endpoint for direct tool calls in Apache Pinot MCP, which may be targeted for unauthorized SQL execution.
  • url
    /sseServer-Sent Events (SSE) endpoint used by MCP servers for communication, potentially exposed to unauthenticated users.

Detection / HunterGoogle

What Happened

Security researchers discovered vulnerabilities in three popular tools used to connect Artificial Intelligence models to databases, known as Model Context Protocol (MCP) servers. Organizations using Apache Doris, Apache Pinot, and Alibaba RDS are affected by these software flaws. Because these tools lack proper security checks, attackers could potentially access, steal, or manipulate sensitive database information without needing a password. Organizations using these MCP servers should immediately update their software, restrict network access, and ensure all AI requests are properly validated.

Key Takeaways

  • Researchers identified critical vulnerabilities in three popular Model Context Protocol (MCP) servers: Apache Doris, Apache Pinot, and Alibaba RDS.
  • Apache Doris MCP (v0.6 and prior) contains a SQL injection vulnerability (CVE-2025-66335) due to an unsanitized db_name parameter.
  • Apache Pinot MCP (v1.1.0 and prior) exposed an unauthenticated HTTP endpoint allowing attackers to execute arbitrary SELECT-based SQL queries.
  • Alibaba RDS MCP exposes an unauthenticated vector database retrieval tool, allowing attackers to exfiltrate sensitive table and schema metadata.
  • The flexibility of the MCP specification leads to inconsistent back-end security implementations, requiring developers to strictly enforce authentication and input validation.

Affected Systems

  • Apache Doris MCP v0.6 and previous
  • Apache Pinot MCP v1.1.0 and previous
  • Alibaba RDS MCP (All versions)

Vulnerabilities (CVEs)

  • CVE-2025-66335

Attack Chain

Attackers target exposed Model Context Protocol (MCP) servers that lack proper authentication or input validation. In the case of Apache Doris, attackers inject malicious SQL statements through the unsanitized 'db_name' parameter during tool invocation. For Apache Pinot and Alibaba RDS, attackers connect directly to unauthenticated HTTP endpoints to execute arbitrary SELECT queries or retrieve sensitive vector database metadata via the 'get_table_struct' tool.

Detection Availability

  • YARA Rules: No
  • Sigma Rules: No
  • Snort/Suricata Rules: No
  • KQL Queries: No
  • Splunk SPL Queries: No
  • EQL Queries: No
  • Other Detection Logic: No

The article does not provide specific detection rules or queries.

Detection Engineering Assessment

EDR Visibility: Low — EDR solutions typically monitor endpoint processes and file systems, and may not natively inspect the application-layer SQL queries or API requests involved in these MCP vulnerabilities. Network Visibility: Medium — Network sensors can detect unauthenticated access to default MCP ports (8080, 8006) or anomalous SQL queries if the traffic is unencrypted. Detection Difficulty: Moderate — Detecting these exploits requires application-level visibility into API requests and database queries to distinguish malicious SQL injection or unauthorized data access from legitimate AI agent activity.

Required Log Sources

  • Web Application Firewall (WAF) logs
  • Database audit logs
  • Application access logs

Hunting Hypotheses

HypothesisTelemetryATT&CK StageFP Risk
Look for unexpected inbound network connections to ports 8080 or 8006 originating from non-standard IPs, indicating potential unauthorized access to MCP servers.Network flow logs, Firewall logsInitial AccessMedium
Monitor database audit logs for SQL queries containing unexpected semicolons or comments in the database name field, which may indicate exploitation of CVE-2025-66335 in Apache Doris.Database audit logsExecutionLow
Identify high volumes of unauthenticated requests to the '/api/tools/call' or '/sse' endpoints on MCP servers, suggesting potential data exfiltration or unauthorized tool invocation.Web server access logsCollectionLow

Control Gaps

  • Lack of transport layer authentication
  • Insufficient server-side input validation for SQL queries

Key Behavioral Indicators

  • Anomalous API requests to /api/tools/call
  • High volume of requests to the get_table_struct tool
  • SQL queries with injected semicolons or comments in metadata fields

False Positive Assessment

  • Low

Recommendations

Immediate Mitigation

  • Update Apache Doris MCP to a patched version (post v0.6) to resolve CVE-2025-66335.
  • Update Apache Pinot MCP to v2.0.0 or later and enable OAuth authentication.
  • Restrict network access to Alibaba RDS MCP and other MCP servers using firewalls or security groups to prevent unauthorized external access.

Infrastructure Hardening

  • Enforce authentication at the transport layer for all deployed MCP servers.
  • Apply least-privilege access controls to back-end database systems connected to MCP servers.

User Protection

  • N/A

Security Awareness

  • Train developers on secure MCP server development practices, emphasizing strict server-side parameter validation and adherence to OWASP GenAI Security Project guidelines.

MITRE ATT&CK Mapping

  • T1190 - Exploit Public-Facing Application
  • T1213 - Data from Information Repositories

Related