Skip to main content

Apache Doris MCP Server CVE-2025-66336

| EUVDEUVD-2025-210295 HIGH
SQL Injection (CWE-89)
8.1
CVSS 3.1 · Vendor
Share

Severity by source

Vendor (CNA) PRIMARY
8.1 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
vuln.today AI
6.5 MEDIUM

Network-reachable MCP endpoint with low-complexity SQLi; PR:L because authenticated by default (auth-disabled deployments would warrant PR:N); metadata read is C:H, limited write/bypass impact justifies I:L, no availability effect.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (CNA).

CVSS VectorVendor

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

7
Analysis Updated
Jun 22, 2026 - 18:30 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 22, 2026 - 18:30 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 22, 2026 - 18:23 vuln.today
cvss_changed
Severity Changed
Jun 22, 2026 - 18:23 NVD
CRITICAL HIGH
CVSS changed
Jun 22, 2026 - 18:23 NVD
8.1 (CRITICAL) 8.1 (HIGH)
Patch available
Jun 22, 2026 - 09:01 EUVD
Analysis Generated
Jun 22, 2026 - 06:51 vuln.today

Description PRE-NVD

Disclosed via oss-security. NVD scoring and full description are pending.

AnalysisAI

SQL injection in Apache Doris MCP Server versions 0.1.0 through 0.6.0 allows authenticated attackers (or anonymous attackers when authentication is disabled) to inject arbitrary SQL through a database-name parameter in a metadata query path, bypassing the caller's authorization context. Because the query executes without the requester's auth context, attackers can read metadata across databases they should not be able to see. No public exploit identified at time of analysis, and SSVC currently marks exploitation as 'none'.

Technical ContextAI

Apache Doris MCP Server is the Model Context Protocol server component of the Apache Doris real-time analytical database, designed to expose Doris metadata and query capabilities to LLM agents and other MCP clients. The root cause is CWE-89 (Improper Neutralization of Special Elements used in an SQL Command): a user-controlled database identifier is concatenated directly into a SQL statement that drives a metadata lookup, rather than being parameterized or validated against an allow-list. Compounding the injection itself, the affected code path executes the resulting query without propagating the caller's authorization context, so Doris's normal SQL-level access controls cannot filter out objects the user is not entitled to see.

RemediationAI

Vendor-released patch: Apache Doris MCP Server 0.6.1 - upgrade any deployment in the 0.1.0-0.6.0 range to 0.6.1 or later as the primary fix, per the Apache advisory at https://lists.apache.org/thread/4l4v3m7ofwrgp4s4s98pjb5l03fcrzo2 and the oss-security post at https://seclists.org/oss-sec/2026/q2/994. If immediate upgrade is not possible, ensure MCP Server authentication is enabled and restricted to trusted identities (do not run with auth disabled), and place the MCP Server behind a network boundary that blocks untrusted clients from reaching its endpoints - accepting the trade-off that LLM agents and other MCP consumers outside that boundary will lose access. As a further defense, audit Doris account privileges so the database role used by the MCP Server has only the minimum metadata access required, which limits the blast radius of any residual injection or auth-context bypass until the patch is applied.

Share

CVE-2025-66336 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy