AWS MCP Gateway Registry SQL Injection Exposes API Key Material — CVE-2026-14471

AWS has disclosed CVE-2026-14471, an authenticated SQL injection in the metrics-service retention-policy component of the open-source MCP Gateway Registry. A remote user with access to the service can craft a table_name value that is interpolated into SQL identifier position, allowing arbitrary queries against the metrics database.

What changed

  • The affected range is 1.0.3 through 1.0.12, inclusive. Version 1.0.13 contains the fix.
  • AWS says exploitation can read stored data, including API key material, and delete or alter data in the metrics database.
  • The attack is remote and requires low privileges but no user interaction. Amazon assigned CVSS 4.0 score 8.6 and CVSS 3.1 score 8.1, both High.
  • AWS lists no workaround: operators must upgrade to 1.0.13 or later and carry the patch into forks or derivative builds.
  • NVD was still awaiting its own enrichment at publication; the scores above are the Amazon CNA assessments, not independent NVD scores.

Why it matters

MCP gateways are security concentrators: they sit between agents and tool servers, centralizing discovery, authentication, authorization, and proxying. That makes a data-layer flaw more consequential than an ordinary metrics bug. API key material in the same database can turn a low-privilege foothold into access to other agent tools or services, while arbitrary modification can undermine the telemetry defenders use to investigate misuse.

The vulnerability also illustrates a boundary that prepared statements do not automatically solve. SQL identifiers such as table names generally cannot be parameterized like ordinary values. They require strict allowlisting or safe identifier construction; inserting caller-controlled names into a statement preserves an injection path even when value parameters elsewhere are handled correctly.

Authentication lowers exposure but does not neutralize the issue. Agent platforms commonly support multiple users, service identities, and automated clients. A compromised low-privilege token or malicious tenant can satisfy the prerequisite, and no human approval is needed once the vulnerable retention-policy operation is reachable.

Defensive engineering guidance

  • Inventory MCP Gateway Registry deployments, including containers, vendored copies, forks, and derivative products; upgrade every affected instance to 1.0.13 or later.
  • Because vulnerable queries can disclose API key material, review access and query logs and rotate keys stored in affected databases when exposure cannot be confidently excluded.
  • Look for unusual retention-policy changes, malformed table names, unexpected reads, and destructive database operations. Validate telemetry against independent infrastructure logs because database records may have been altered.
  • Restrict gateway administration endpoints by network and identity policy. Separate operational telemetry from long-lived secrets wherever architecture permits.
  • Audit derivative code for dynamic SQL identifiers and replace caller-controlled names with an explicit server-side allowlist.

Sources: