What happened
The Apache Doris MCP Server contains a SQL injection vulnerability in a metadata query path where a user-controlled database name is directly interpolated into a SQL query without parameterisation, and the query executes without passing the caller's authorisation context. This may allow an authenticated attacker, or an anonymous attacker if the MCP server is exposed without authentication, to perform SQL injection. CVSS 8.1 High; published 2026-06-22 with an Apache mailing list advisory.
Why it matters
MCP servers for data warehouses like Apache Doris are used to give LLM agents direct SQL query capability over production analytics data. A SQL injection in the MCP server's metadata path allows an attacker (or a prompt-injected agent) to read arbitrary data, bypass row-level security, or potentially achieve RCE via database-native functions — turning an LLM's data access tool into a direct database attack vector.
Attack vector
Authenticated (or anonymous if exposed without auth) attacker supplies a crafted database name to the metadata query path of the Doris MCP Server, achieving SQL injection.
Affected systems
Apache Doris MCP Server (versions per Apache advisory)
Mitigation
Apply Apache Doris MCP Server patch per the Apache advisory. Advisory: https://lists.apache.org/thread/4l4v3m7ofwrgp4s4s98pjb5l03fcrzo2; NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-66336