@executeautomation/database-server does not properly restrict access, bypassing a "read-only" mode
Description
The mcp-database-server (MCP Server) 1.1.0 and earlier, as distributed via the npm package @executeautomation/database-server, fails to implement adequate security controls to properly enforce a "read-only" mode. This vulnerability affects only the npm distribution; other distributions are not impacted. As a result, the server is susceptible to abuse and attacks on affected database systems such as PostgreSQL, and potentially others that expose elevated functionalities. These attacks may lead to denial of service and other unexpected behaviors.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The npm-distributed @executeautomation/database-server MCP Server fails to enforce read-only mode, allowing SQL injection and multi-statement queries that can lead to denial of service.
Root
Cause
The MCP Database Server package @executeautomation/database-server (versions 1.1.0 and earlier) implements a "read-only" mode using a naive check that verifies whether a query string starts with "SELECT". This implementation is insufficient because the PostgreSQL driver (pg) supports multi-statement queries when statements are separated by semicolons. Therefore, a query like SELECT 1; DROP TABLE users; passes the startsWith('SELECT') check but executes arbitrary subsequent statements [1][3]. The vulnerable code resides in the read_query tool handler inside index.ts [3].
Exploitation
An attacker can exploit this by sending a crafted query to the MCP server's read_query tool. The server only requires the query string to begin with "SELECT", so any number of additional statements—including destructive operations—can be appended after a semicolon. This bypasses the intended read-only restriction entirely. The attack is possible without authentication if the MCP server is exposed to untrusted clients, as the tool is accessible via the standard MCP CallToolRequest handler [3].
Impact
Successful exploitation allows an attacker to execute arbitrary SQL commands on the connected database, including INSERT, UPDATE, DELETE, DROP, and administrative functions. This can lead to data corruption, data loss, and denial of service (e.g., by dropping tables or exhausting database resources). The advisory specifically highlights risks for PostgreSQL databases, but the same issue may affect other database servers that support multi-statement queries [1][2][3].
Mitigation
As of the publication date, no patched version has been released. The vulnerable package is distributed exclusively through npm (@executeautomation/database-server); other distributions are reportedly unaffected [2]. Users should immediately restrict network access to the MCP server, implement a proper query allowlist or parameterized queries, and monitor the repository for a security update [1][3].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
@executeautomation/database-servernpm | <= 1.1.0 | — |
Affected products
1- executeautomation/mcp-database-serverv5Range: <= 1.1.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-65hm-pwj5-73pwghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-59333ghsaADVISORY
- github.com/executeautomation/mcp-database-server/security/advisories/GHSA-65hm-pwj5-73pwghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.