GHSA-pqrj-4gwg-h5f7
Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Network-reachable MCP endpoint with low-complexity SQLi; PR:L because authenticated by default (auth-disabled deployments would warrant PR:N); metadata read is C:H, limited write/bypass impact justifies I:L, no availability effect.
Primary rating from Vendor (CNA).
CVSS VectorVendor
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
7Description PRE-NVD
Articles & Coverage 1
AnalysisAI
SQL injection in Apache Doris MCP Server versions 0.1.0 through 0.6.0 allows authenticated attackers (or anonymous attackers when authentication is disabled) to inject arbitrary SQL through a database-name parameter in a metadata query path, bypassing the caller's authorization context. Because the query executes without the requester's auth context, attackers can read metadata across databases they should not be able to see. No public exploit identified at time of analysis, and SSVC currently marks exploitation as 'none'.
Technical ContextAI
Apache Doris MCP Server is the Model Context Protocol server component of the Apache Doris real-time analytical database, designed to expose Doris metadata and query capabilities to LLM agents and other MCP clients. The root cause is CWE-89 (Improper Neutralization of Special Elements used in an SQL Command): a user-controlled database identifier is concatenated directly into a SQL statement that drives a metadata lookup, rather than being parameterized or validated against an allow-list. Compounding the injection itself, the affected code path executes the resulting query without propagating the caller's authorization context, so Doris's normal SQL-level access controls cannot filter out objects the user is not entitled to see.
RemediationAI
Vendor-released patch: Apache Doris MCP Server 0.6.1 - upgrade any deployment in the 0.1.0-0.6.0 range to 0.6.1 or later as the primary fix, per the Apache advisory at https://lists.apache.org/thread/4l4v3m7ofwrgp4s4s98pjb5l03fcrzo2 and the oss-security post at https://seclists.org/oss-sec/2026/q2/994. If immediate upgrade is not possible, ensure MCP Server authentication is enabled and restricted to trusted identities (do not run with auth disabled), and place the MCP Server behind a network boundary that blocks untrusted clients from reaching its endpoints - accepting the trade-off that LLM agents and other MCP consumers outside that boundary will lose access. As a further defense, audit Doris account privileges so the database role used by the MCP Server has only the minimum metadata access required, which limits the blast radius of any residual injection or auth-context bypass until the patch is applied.
More in Doris Mcp Server
View allSame weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-210295