| Title | designcomputer mysql_mcp_server 0.2.2 SQL Injection |
|---|
| Description | mysql-mcp-server is a Model Context Protocol (MCP) server that bridges AI applications with MySQL databases. The `read_resource()` handler accepts URIs in the format `mysql://{table}/data` and constructs SQL queries using Python f-string interpolation without input validation or parameterization.
The vulnerable code in `src/mysql_mcp_server/server.py` (lines 87-95) parses the URI to extract a table name and directly interpolates it into a SQL query:
```python
parts = uri_str[8:].split('/')
table = parts[0] # unsanitized user input
cursor.execute(f"SELECT * FROM {table} LIMIT 100") # SQL injection point
```
An attacker can craft a malicious URI where the table name contains SQL injection payloads (e.g., `UNION SELECT` statements). The injected SQL is executed with the full privileges of the configured MySQL connection, which in typical deployments is the root user. This vulnerability requires control over the URI parameter sent to the MCP server, which can be achieved through prompt injection attacks against the AI client, malicious MCP client implementations, or man-in-the-middle attacks on the stdio transport. |
|---|
| Source | ⚠️ https://github.com/designcomputer/mysql_mcp_server/issues/89 |
|---|
| User | BlackBird_BB (UID 96773) |
|---|
| Submission | 05/24/2026 19:49 (15 days ago) |
|---|
| Moderation | 06/07/2026 21:46 (14 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 369146 [designcomputer mysql-mcp-server up to 0.2.2 mysql URI server.py read_resource uri_str sql injection] |
|---|
| Points | 20 |
|---|