Three Critical MCP Server Vulnerabilities Identified – One Remains Unpatched
#Vulnerabilities

Three Critical MCP Server Vulnerabilities Identified – One Remains Unpatched

Regulation Reporter
6 min read

Security researcher discovers SQL‑injection and authentication flaws in Apache Doris, Apache Pinot and Alibaba RDS Model Context Protocol (MCP) servers. Apache has issued patches; Alibaba has declined to remediate its flaw, leaving the risk open for cloud customers.

Regulatory action → What it requires → Compliance timeline

Regulation: The EU General Data Protection Regulation (GDPR) Art. 32 mandates that controllers and processors implement "appropriate technical and organisational measures" to ensure a level of security appropriate to the risk. The U.S. Cybersecurity‑Information‑Sharing‑Act (CISA) and the California Consumer Privacy Act (CCPA) impose similar duties to protect personal data against unauthorised access.

What it requires: Any service that processes personal or business data – including Model Context Protocol (MCP) servers that expose database back‑ends to AI agents – must:

  1. Validate all inbound parameters before they are used to construct SQL statements.
  2. Authenticate every request to the MCP endpoint, regardless of whether the client is an AI model or a human user.
  3. Log and monitor anomalous query patterns and enforce rate‑limiting to detect abuse.
  4. Patch known vulnerabilities within a reasonable period after a CVE is published (typically 30 days for high‑severity findings).

Compliance timeline for the three MCP flaws:

Vulnerability CVE / Issue ID Required remediation date (per GDPR Art. 32) Current vendor status
Apache Doris MCP – SQL injection on db_name parameter CVE‑2025‑66335 30 days after 13 Dec 2025 (patch released 13 Dec 2025) Patched in version 0.6.1; users must upgrade by 13 Jan 2026
Apache Pinot MCP – unauthenticated HTTP endpoint, possible SQL injection Open security issue on GitHub (star‑tree/mcp‑pinot#112) 30 days after public disclosure (13 May 2026) No official patch yet; mitigation requires enabling OAuth or restricting network access.
Alibaba RDS MCP – unauthenticated RAG tool exposing vector index metadata Internal advisory (no CVE assigned) 30 days after vendor acknowledgement (Nov 2025) Alibaba has declined to patch; risk remains until a fix is issued or the service is de‑commissioned.

1. Apache Doris MCP – Fixed SQL injection (CVE‑2025‑66335)

The Doris MCP server accepts five parameters when invoking the exec_query tool. The db_name argument is concatenated directly into the final SQL string without sanitisation. An attacker who can reach the MCP endpoint can supply a payload such as "mydb; DROP TABLE users;--", causing the server to execute arbitrary statements on the underlying Doris instance.

Compliance steps

  • Upgrade all Doris MCP deployments to version 0.6.1 or later.
  • Verify that the exec_query implementation now uses prepared statements or a strict whitelist for database identifiers.
  • Conduct a post‑upgrade scan with a tool such as SQLMap to confirm the injection surface is closed.
  • Document the upgrade in your change‑management system and retain the vendor’s patch notes for audit purposes.

2. Apache Pinot MCP – Authentication bypass and residual injection risk

StarTree’s MCP integration for Pinot (v 1.1.0 and earlier) exposes an HTTP endpoint that accepts MCP tool requests without any authentication header. The code still contains the same string‑concatenation bug identified in Doris, meaning an unauthenticated attacker can issue SELECT … statements and, if the endpoint is reachable from the internet, potentially gain full control of the Pinot cluster.

Compliance steps

  1. Restrict network access – place the MCP endpoint behind a firewall or VPC security group that only allows trusted IP ranges.
  2. Enable OAuth – the recent commit adds optional OAuth validation; configure a trusted identity provider and require a bearer token for every request.
  3. Apply a temporary mitigation – if you cannot upgrade immediately, add a reverse‑proxy (e.g., Nginx) that enforces basic authentication and logs all requests.
  4. Plan for a permanent fix – monitor the GitHub issue for a formal release; schedule an upgrade window within the 30‑day compliance period.

3. Alibaba RDS MCP – Unauthenticated metadata exposure (no patch)

Alibaba’s RDS MCP server implements a Retrieval‑Augmented Generation (RAG) tool that returns vector‑index data containing table names, column definitions and other schema‑level information. The service does not require any authentication before invoking the tool, so any client that can reach the endpoint can harvest this metadata.

Because the data may include personally identifiable information (PII) or proprietary business logic, the exposure violates GDPR Art. 5(1)(f) (integrity and confidentiality) and CCPA § 1798.150 (reasonable security measures).

Compliance steps

  • Isolate the MCP endpoint – move it to a private subnet and expose it only to internal AI workloads.
  • Implement a gateway – use an API gateway (e.g., AWS API Gateway, Alibaba Cloud API Gateway) to enforce token‑based authentication before the request reaches the MCP server.
  • Document the risk – record Alibaba’s refusal to patch as a residual risk in your risk register; calculate the likelihood and impact for your organisation’s risk‑treatment plan.
  • Consider alternatives – if the risk cannot be mitigated to an acceptable level, migrate the workload to a MCP implementation that supports authentication (e.g., Apache‑based MCP).

Why these flaws matter for compliance officers

MCP servers sit between AI agents and production databases. When the protocol fails to enforce basic security checks, the entire data pipeline becomes an attack vector. Under GDPR and similar statutes, a data controller is expected to perform a risk assessment for any third‑party service that processes personal data. The three MCP issues demonstrate that:

  • Parameter sanitisation is a non‑negotiable control; failure to implement it is a direct violation of Art. 32.
  • Authentication cannot be optional for any public‑facing endpoint; unauthenticated access is a clear breach of the “integrity” principle.
  • Vendor responsiveness is part of the supply‑chain risk management process; a vendor that refuses to patch a known vulnerability must be treated as a high‑risk supplier.

For organisations that have already integrated MCP‑enabled AI agents, the immediate actions are:

  1. Inventory every MCP endpoint in use.
  2. Map each endpoint to the regulatory requirements above.
  3. Prioritise remediation based on the severity rating (high for Doris and Pinot, medium‑high for Alibaba).
  4. Report the status to senior management and, where required, to supervisory authorities within the 72‑hour breach‑notification window if any of the flaws have been exploited.

Featured image

Figure: A typical MCP deployment architecture – the protocol mediates between an AI model and a backend database. Security controls must be applied at both the protocol layer and the network perimeter.

Next steps for compliance teams

  • Add the three MCP CVEs to your vulnerability‑management dashboard.
  • Verify that your patch‑management process flags the Doris CVE‑2025‑66335 for immediate deployment.
  • Review firewall and API‑gateway rules for Pinot and Alibaba MCP endpoints.
  • Update your third‑party risk register to reflect Alibaba’s refusal to remediate.
  • Schedule a quarterly review of MCP‑related controls to ensure ongoing compliance with GDPR Art. 32, CISA, and CCPA.

By treating MCP servers as critical components of the data processing pipeline, organisations can meet their legal obligations and reduce the likelihood of a successful exploitation.

#MCP#SQL Injection#GDPR#Apache#Alibaba

Comments

Loading comments...
Back to Home