MCP Database Flaws — Apache Doris, Pinot and Alibaba RDS Vulnerabilities

AI relevance: MCP servers that sit between AI agents and production databases lack proper input validation, authentication, and query sanitization — turning agent tool calls into direct database attacks.

Akamai security analyst Tomer Peled discovered three critical vulnerabilities in MCP (Model Context Protocol) servers for popular database projects, revealing a systemic pattern of missing security validation between MCP servers and their back ends. Peled presented findings on May 13 and plans a full talk at x33fcon.

Apache Doris MCP — CVE-2025-66335 (Patched)

• SQL injection through the db_name parameter in the exec_query function, versions before 0.6.1.
• The SQL validator only checks the first portion of the query; the injected payload bypasses it entirely.
• Any client connected to the Doris MCP server can execute arbitrary commands on the database instance.
• Doris serves 10,000+ mid- and large-enterprise users for analytics and search workloads.
• Apache issued a patch in December; CVE assigned.

Apache Pinot MCP — Unauthenticated Access (Partially Mitigated)

• StarTree's MCP integration for Pinot used HTTP transport with no authentication requirement before v2.0.0.
• Externally reachable MCP endpoints allowed unauthenticated query execution, enabling full database takeover.
• StarTree added OAuth as an authentication option, reducing exposure, but SQL injection remains in the code.
• Affecting Pinot MCP v1.1.0 and earlier.
• An open security issue exists in the MCP Pinot GitHub repository.

Alibaba RDS MCP — Information Disclosure (Unpatched)

• The RDS MCP server does not authenticate clients before invoking the RAG tool.
• Any endpoint reacher can issue requests and retrieve vector index contents, including table names, schema definitions, and sensitive metadata.
• Alibaba declined to patch the vulnerability.

Why it matters

MCP servers have become the standard bridge between AI agents and enterprise data stores. The pattern across all three findings is the same: MCP servers pass agent inputs directly to back-end databases without adequate validation. As Peled notes, "These gaps will become high-value targets for attackers and we expect more of these issues to surface." Every database project rushing to ship an MCP server is potentially replicating these mistakes.

What to do

• Update Apache Doris MCP to v0.6.1+ immediately if you run it.
• Require authentication on all MCP endpoints — never expose MCP servers to the internet without access controls.
• Validate and sanitize all parameters passed from MCP tool calls to back-end queries; parameterize SQL, not string concatenation.
• Audit MCP server code for the same pattern: does user-controlled input reach the database without validation?
• Network-isolate MCP-to-database connections — use internal networks, never public-facing endpoints for database back ends.

Sources

• The Register — Bug hunter tracks down three massive MCP database flaws
• NVD — CVE-2025-66335 (Apache Doris)
• StarTree — MCP Server for Apache Pinot