What happened
The metrics-service component of AWS's MCP Gateway Registry builds SQL statements by interpolating a user-supplied table_name parameter without parameterization, allowing an authenticated attacker to inject arbitrary SQL.
Why it matters
MCP gateway/registry services sit at the control plane for enterprise agentic-AI tool discovery and routing; a SQL injection here could let an authenticated low-privilege user read or corrupt registry metadata governing which MCP tools agents are permitted to call, an attack that undermines the trust boundary for the whole agent-tooling fleet.
Attack vector
Improper neutralization of special elements in the metrics-service retention policy management component allows an authenticated remote user to execute arbitrary SQL queries via a crafted table_name value that is interpolated directly into SQL statements.
Affected systems
Amazon mcp-gateway-registry, versions before 1.0.13
Mitigation
Upgrade to mcp-gateway-registry >= 1.0.13 per AWS security bulletin 2026-052-aws.