Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
6DescriptionCVE.org
Apache Doris MCP Server versions earlier than 0.6.1 are affected by an improper neutralization flaw in query context handling that may allow execution of unintended SQL statements and bypass of intended query validation and access restrictions through the MCP query execution interface. Version 0.6.1 and later are not affected.
AnalysisAI
SQL injection in Apache Doris MCP Server versions before 0.6.1 allows unauthenticated remote attackers to execute unintended SQL statements and bypass query validation and access restrictions via improper neutralization in the MCP query execution interface. The vulnerability has a CVSS score of 5.3 (network-accessible, low complexity, no authentication required) but is classified as partial impact (confidentiality only, no integrity or availability impact) and has not been confirmed as actively exploited. A vendor patch is available.
Technical ContextAI
Apache Doris MCP Server is a Model Context Protocol (MCP) server component of the Apache Doris distributed SQL analytics engine. The vulnerability exists in the query context handling mechanism within the MCP query execution interface, which fails to properly neutralize user-supplied input when constructing SQL statements. This is a classic SQL injection flaw (CWE-89: Improper Neutralization of Special Elements used in an SQL Command) where untrusted input passed through the MCP interface reaches SQL execution without sufficient parameterization or escaping. The MCP (Model Context Protocol) is an interface protocol that allows external tools and models to interact with Doris query execution. The affected CPE (cpe:2.3:a:apache_software_foundation:apache_doris_mcp_server:*:*:*:*:*:*:*:*) indicates all versions of the Doris MCP Server component up to 0.6.0 are vulnerable.
RemediationAI
Upgrade Apache Doris MCP Server to version 0.6.1 or later immediately to remediate the SQL injection vulnerability. The vendor has released a patched version as confirmed by the Apache advisory at https://lists.apache.org/thread/odp0fyyst8kxm7hhm9z4d1snh1y4hjpy. Until patching is feasible, implement network segmentation to restrict access to the MCP query execution interface to trusted internal clients only; disable or restrict the MCP protocol if it is not required for operations; and apply input validation and parameterized query frameworks at the application layer if custom integrations exist. Note that network restriction reduces attack surface but does not eliminate the vulnerability if internal systems are compromised. Input validation at the application layer is effective but adds latency and maintenance burden; parameterized queries are the preferred long-term compensating control. Upgrading to 0.6.1 is the only permanent fix and should be prioritized.
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-209532
GHSA-qhfq-gvvc-5q6q