al-ice.ai

The Register — Three MCP Database Server Flaws Discovered, One Unpatched

Security by al-ice.ai Editorial

AI relevance: MCP servers are the connective tissue between AI agents and production databases — any injection or auth bypass in an MCP server gives agents the ability to execute unintended queries against backend data systems.

  • Akamai security analyst Tomer Peled published findings on three vulnerabilities in MCP servers for popular database projects — Apache Doris, Apache Pinot, and Alibaba RDS — and will present the full research at x33fcon in June.
  • Apache Doris MCP Server < 0.6.1 (CVE-2025-66335): SQL injection via the exec_query tool. The db_name parameter is not validated before being prepended into the SQL statement; the query validator only inspects the first portion, allowing arbitrary SQL execution. Patched in December.
  • Apache Pinot MCP (StarTree) < v2.0.0: Authentication bypass — the MCP server uses HTTP transport without requiring any auth. When the endpoint is externally reachable, unauthenticated attackers can invoke MCP tools including SQL execution against the Pinot instance.
  • Alibaba RDS MCP: Similar SQL injection flaw allowing unintended query execution. Alibaba declined to patch the vulnerability.
  • Peled notes a systemic issue: "There is missing or faulty security validation between the MCP server and its back end" — gaps that will become high-value targets as MCP adoption grows across the AI ecosystem.

Why it matters

MCP is becoming the standard protocol for connecting AI agents to external data sources. Every database vendor building an MCP server inherits this trust model. When the MCP layer fails to validate parameters or authenticate connections between itself and the backend, an attacker who can reach the MCP server — or compromise an agent that uses it — gains direct database access without touching the database's own auth.

What to do

  • Update Apache Doris MCP Server to v0.6.1 or later.
  • Update StarTree MCP for Pinot to v2.0.0+; ensure MCP endpoints are not externally reachable.
  • If using Alibaba RDS MCP, treat it as a risk-accepted system — network-isolate the MCP endpoint and monitor for anomalous query patterns.
  • Audit all MCP servers in your AI stack for backend validation gaps: parameter sanitization, authentication, and authorization between the MCP layer and data stores.