CVE-2025-66336 in Doris MCP Server
Summary
by MITRE • 06/22/2026
Apache Doris MCP Server contains a SQL injection vulnerability in a metadata query path. A user-controlled database name is directly interpolated into a SQL query, and the query is executed without passing the caller's authorization context. This may allow an authenticated attacker, or an anonymous attacker if authentication is disabled, to bypass SQL security validation and access metadata outside the intended database scope.
Affected users are recommended to upgrade to Doris version 0.6.1 or later, which fixes the issue.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 06/22/2026
The Apache Doris MCP Server vulnerability represents a critical security flaw that undermines the integrity of database metadata protection mechanisms. This issue manifests within the metadata query path where user-supplied database names are directly incorporated into SQL queries without proper sanitization or validation. The vulnerability exists in the server's handling of authenticated and unauthorized access scenarios, creating pathways for malicious actors to exploit the system's trust model. The absence of proper authorization context verification during query execution allows attackers to manipulate database scope parameters and gain access to metadata beyond their intended boundaries.
The technical implementation flaw stems from improper input validation and query construction practices within the MCP server component. When a database name is provided by a user, it undergoes direct interpolation into SQL statements rather than being properly parameterized or escaped. This approach violates fundamental security principles for preventing injection attacks and creates opportunities for attackers to manipulate query structure through crafted inputs. The vulnerability operates at the application layer where database access controls should enforce scope limitations but instead permit unauthorized metadata traversal.
Operational impact of this vulnerability extends beyond simple data exposure to encompass potential system compromise and information disclosure. An authenticated attacker can leverage this flaw to access metadata from databases they should not have permissions to view, potentially revealing sensitive structural information about the database environment. When authentication is disabled, anonymous attackers gain additional capabilities to exploit the vulnerability without requiring valid credentials. This creates a particularly dangerous scenario where even unauthenticated access can lead to comprehensive metadata enumeration and system reconnaissance activities.
The security implications align with CWE-89 which specifically addresses SQL injection vulnerabilities in software systems. This classification emphasizes the critical nature of improper input handling that allows attackers to manipulate backend database queries through user-controllable parameters. Additionally, the vulnerability maps to ATT&CK technique T1078 which covers legitimate credentials use and unauthorized access patterns, as attackers can bypass authorization controls through the injection mechanism. The lack of proper authorization context validation creates a path for privilege escalation and lateral movement within the database environment.
Organizations utilizing Apache Doris should prioritize immediate remediation through upgrading to version 0.6.1 or later, which implements proper input sanitization and authorization context enforcement. The fix addresses the root cause by ensuring that user-supplied database names are properly parameterized in SQL queries and that access controls maintain their integrity throughout metadata retrieval operations. System administrators should also conduct comprehensive security reviews of all database interaction points to identify similar vulnerabilities and implement consistent input validation practices across the entire application stack.