Azure Data Explorer MCP Server — KQL injection allows arbitrary query execution (CVE-2026-33980)

AI relevance: This MCP server vulnerability demonstrates how prompt-injected AI agents can bypass tool trust boundaries, executing arbitrary data queries through what appear to be safe metadata inspection tools.

• CVE-2026-33980 affects the Azure Data Explorer MCP Server (adx-mcp-server Python package), exposing KQL (Kusto Query Language) injection vulnerabilities in three tool handlers.
• The vulnerable tools — get_table_schema, sample_table_data, and get_table_details — directly interpolate user input into KQL queries via f-strings without validation or sanitization.
• Attackers can inject arbitrary KQL commands including:
  - Data exfiltration: sensitive_table | project Secret, Password | take 100
  - Destructive commands: .drop table critical_data via newline injection
  - Full query execution bypassing intended restrictions
• The vulnerability is particularly dangerous because these tools are often presented as "safe" metadata inspection functions, while the execute_query tool requires explicit user confirmation.
• MCP clients may grant automatic access to these "safe" tools while requiring approval for the raw query tool, making this injection a trust boundary bypass.
• The server was vulnerable in all versions up to commit 48b2933, patched in commit 0abe0ee on March 27, 2026.
• KQL supports query operator chaining with | and management commands prefixed with ., enabling extensive attack surface.
• This follows a pattern of MCP server vulnerabilities where tool parameters are treated as trusted data rather than user input requiring validation.

Why it matters

• MCP servers often handle sensitive data access, making injection vulnerabilities particularly high-impact for data exfiltration and destruction.
• The trust boundary bypass is significant: clients may automatically allow "safe" metadata tools while restricting raw query execution, but this vulnerability defeats that security model.
• Azure Data Explorer stores sensitive analytics data for many organizations, making this a high-value target for attackers leveraging prompt-injected AI agents.
• This reinforces the need for input validation in all MCP tool parameters, not just those obviously accepting executable code.

What to do

• Update immediately: Upgrade to the patched version of adx-mcp-server or apply the commit 0abe0ee fix.
• Validate all tool inputs: Treat every MCP tool parameter as potentially malicious, implementing proper input validation and sanitization.
• Review trust boundaries: Audit which tools receive automatic vs. confirmed access in your MCP client configurations.
• Monitor query patterns: Implement logging and alerting for unusual KQL query patterns from MCP servers.
• Principle of least privilege: Ensure MCP servers operate with minimal necessary permissions to limit potential damage from injections.

Sources

• GitHub Advisory — KQL Injection in Azure Data Explorer MCP Server
• Vulnerability details and patch commit
• NVD — CVE-2026-33980
• GitLab Advisory Database entry