Three Critical MCP Server Flaws Expose Database Flaws: Apache Patches, Alibaba Declines to Fix
Akamai researcher Tomer Peled disclosed three vulnerabilities in MCP servers for Apache Doris, Apache Pinot, and Alibaba RDS, with Alibaba refusing to patch its information disclosure flaw.
Security vulnerabilities in MCP servers for three major database projects contain critical vulnerabilities that could allow attackers to execute arbitrary SQL, exfiltrate sensitive metadata, or fully compromise exposed instances. Akamai security analyst Tomer Peled disclosed the flaws on Tuesday and will present his full research at x33fcon next month. While Apache has patched one issue and opened a security ticket for another, Alibaba declined to fix its vulnerability, leaving users at risk.
MCP, or Model Context Protocol, is an open-source protocol originally developed by Anthropic that allows LLMs, AI applications, and agents to connect to external data, systems, and one another. The three vulnerabilities highlight a broader security gap in MCP server development. “There is missing or faulty security validation between the MCP server and its back end,” Peled wrote, adding that these security “gaps will become high-value targets for attackers and we expect more of these issues to surface.”
The first flaw, CVE-2025-66335, is a SQL injection vulnerability in the Apache Doris MCP Server before version 0.6.1. Apache Doris is a high-speed analytics database with more than 10,000 enterprise users. The MCP server’s “exec_query” function fails to validate the db_name parameter before constructing SQL queries, allowing an attacker to inject malicious SQL. The SQL validator only checks the first portion of the query, so it sees only the attacker’s directive. Apache issued a patch in December to fix this flaw.
The second issue is an authentication validation bypass in Apache Pinot MCP before v2.0.0. Apache Pinot is another fast analytics database, and StarTree’s MCP integration uses HTTP as the transport layer without requiring authentication. This exposes the endpoint to remote attackers, allowing them to invoke MCP tools, including those used for SQL execution. “In environments where the MCP endpoint is reachable externally, this behavior allows unauthenticated attackers to execute queries against the Pinot instance, which can allow a full remote takeover of the database,” Peled wrote. StarTree has since added OAuth as an authentication when using HTTP, and Apache has opened a security issue in the MCP Pinot GitHub repository.
The third flaw is an information disclosure issue in the Alibaba RDS MCP server. The server does not authenticate users before invoking the retrieval-augmented generation (RAG) MCP tool, which allows AI models to connect with and query databases. “Any client able to reach the MCP endpoint can issue requests to the server without any query validation,” Peled said. “The vector index may contain table names, schema definitions, or other potentially sensitive metadata, and unauthenticated attackers can exfiltrate this data with little or no effort.” All versions of Alibaba RDS MCP are affected. Peled reported the issue to Alibaba in November, but the cloud giant told him the issue is “not applicable” for a fix, so it remains in the codebase. Akamai also reported this inaction to the CERT Coordination Center.
Peled said that the threat-hunting team assumed there would be some baseline security specification for all MCP servers, but they were wrong. “This means that more attention should be given not just to the specification but also to the best security practices guides when developing secure MCP servers,” he wrote. The findings underscore the urgent need for standardized security validation in MCP implementations, especially as AI agents increasingly connect to production databases.