Skip to main content

Mcp Gateway Registry

1 CVEs product

Monthly

CVE-2026-14471 HIGH PATCH This Week

SQL injection in the Amazon (agentic-community) mcp-gateway-registry before 1.0.13 allows an authenticated remote user to execute arbitrary SQL queries by supplying a crafted table_name that the metrics-service retention policy component interpolates directly into SQL in identifier position. Because the injection sits in an identifier (table name) position rather than a parameterizable value, it bypasses ordinary prepared-statement protections and grants broad read/write access to the metrics datastore. No public exploit identified at time of analysis, and the flaw is not on the CISA KEV list; a vendor patch (v1.0.13) is available.

SQLi Mcp Gateway Registry
NVD GitHub VulDB
CVSS 4.0
8.6
EPSS
0.3%
EPSS 0% CVSS 8.6
HIGH PATCH This Week

SQL injection in the Amazon (agentic-community) mcp-gateway-registry before 1.0.13 allows an authenticated remote user to execute arbitrary SQL queries by supplying a crafted table_name that the metrics-service retention policy component interpolates directly into SQL in identifier position. Because the injection sits in an identifier (table name) position rather than a parameterizable value, it bypasses ordinary prepared-statement protections and grants broad read/write access to the metrics datastore. No public exploit identified at time of analysis, and the flaw is not on the CISA KEV list; a vendor patch (v1.0.13) is available.

SQLi Mcp Gateway Registry
NVD GitHub VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy