Critical Vulnerability Found in MCP Servers: Apache Fixes, Alibaba Refuses to Act

Critical Security Flaw Discovered in MCP Servers

A serious security vulnerability has been discovered in the servers of MCP (Model Context Protocol), a protocol designed to connect AI agents with databases. Security analyst Tomer Peled investigated the issue and reported its impact on three projects: Apache Doris, Alibaba RDS, and Apache Pinot. Among these, Alibaba RDS remains at risk as the vendor has opted not to provide a patch.

Peled pointed out that the vulnerability stems from “a lack of or insufficient security verification between MCP servers and the backend.” He warned that the weakness of MCP servers, which act as intermediaries between AI agents and production databases, makes them high-value targets for attackers.

Apache Doris: SQL Injection Allowing Arbitrary Command Execution

Apache Doris is a high-speed analytics and search database used by over 10,000 mid-size and large enterprises. Its MCP server enables AI agents to execute SQL queries and retrieve metadata from Doris instances.

The discovered vulnerability, registered as CVE-2025-66335, is an SQL injection flaw. The “exec_query” function in the MCP server constructs SQL queries using the “db_name” parameter without proper validation, allowing attackers to inject malicious SQL. Since the SQL validator only checks the initial part of the query, malicious commands could potentially be executed.

To address this issue, Apache has released a patch (version 0.6.1 and later) and made a CVE tracker available, completing their response to the vulnerability.

Alibaba RDS: Metadata Theft Risk, No Fix Provided

In contrast, the MCP server of Alibaba’s Relational Database Service (RDS) was found to have a vulnerability allowing attackers to steal sensitive metadata. According to Peled, Alibaba has decided not to address this issue.

While specific attack methods and the scope of the impact have not been disclosed, leaked database metadata, such as schema information and table structures, could lead to further attacks. Alibaba’s refusal to provide a fix is a disappointing decision for its users.

Apache Pinot: Unpatched Open Ticket

Apache Pinot, a distributed database for real-time analytics, also has a reported vulnerability in its MCP server. It has been suggested that publicly accessible Pinot instances could be compromised.

At present, an open ticket has been created in Pinot’s GitHub repository, but a patch has yet to be released. Progress on this issue is being closely monitored.

Security Challenges of the MCP Protocol Highlighted

MCP, an open-source protocol developed by Anthropic, serves as a framework for connecting large language models (LLMs), AI applications, external data, and other systems. This series of vulnerabilities suggests fundamental issues in the security design of the MCP ecosystem.

Peled predicts that “these security gaps will become increasingly valuable targets for attackers, and similar problems are likely to surface in the future.” As AI agents become more deeply integrated into production environments, ensuring the robustness of MCP servers has become an urgent priority.

Users are advised to confirm the security measures taken by their MCP server providers and apply the latest patches whenever possible. In particular, Alibaba RDS users should consider additional monitoring and access restrictions to mitigate risks.