Three Database MCP Servers Break in Three Different Ways (CVE-2025-66335)

Key Takeaways

• Akamai security research published the disclosure on May 13, 2026.
• Apache Doris MCP Server below 0.6.1 carries a SQL injection in the exec_query tool (CVE-2025-66335).
• Apache Pinot MCP servers exposed to the internet face potential instance takeover.
• Alibaba's RDS MCP server exposed metadata without authentication and the vendor declined to patch.
• All three issues map to classic input-validation and authentication failures inside MCP server code.

Summary

Akamai researchers disclosed three back-end vulnerabilities in database MCP server projects, including SQL injection in Apache Doris, takeover potential in Apache Pinot, and unauthenticated data exposure in Alibaba's RDS MCP that the vendor declined to patch, as The Register reported. The disclosures show that the MCP attack surface now extends to the data tier that agents query most often.

What We Know

The Akamai security research post published on May 13, 2026 walks through three independent flaws found while auditing popular database MCP server implementations. Each project ships an MCP server intended to let agents query the underlying database through standardized tool calls.

Apache Doris MCP Server versions below 0.6.1 contain a SQL injection in the exec_query tool path. The SQL validator only inspects the first portion of the query, missing payloads that the attacker stages later in the db_name parameter; the issue is tracked as CVE-2025-66335 in the NVD entry.

Apache Pinot's MCP server, when exposed without authentication, allows attackers to invoke tool calls that can lead to instance takeover. The Alibaba RDS MCP server exposed sensitive metadata without authentication, and the vendor declined to patch on the grounds that the integration is intended for trusted operators only.

What Happened

Each of the three flaws maps to a long-standing class of back-end vulnerability ported into the MCP era. Apache Doris's bug is a classic SQL injection where the validator inspects only a prefix of the query before construction; Apache Pinot's is missing authentication on a control-plane-class endpoint; Alibaba's is unauthenticated metadata exposure on what is effectively a tool API.

What makes these issues distinctly AI-relevant is the channel they sit on. An agent that calls these MCP servers does so without negotiating authentication beyond what the server enforces, and tool calls happen at machine speed across many sessions, so any weakness scales with agent fan-out.

The Alibaba decision not to patch is the most consequential element of the disclosure, because it leaves operators with only mitigations: putting RDS MCP behind a strong identity-aware gateway, restricting which agents can call it, and monitoring tool invocations for anomalous metadata reads.

Why It Matters

Database MCP servers are quickly becoming the default plumbing between agents and structured data inside the enterprise. A SQL injection in the agent-to-database tool path turns into an agent-driven exfiltration channel that bypasses the access pattern auditors expect from human operators.

Affected data spans whatever the underlying database stores, which in production deployments typically means customer records, telemetry, financial data, and operational logs. Apache Doris and Apache Pinot are widely used for analytics workloads, so exposure includes the warehouses behind product and business intelligence.

For governance, this disclosure is a reminder that an unpatchable third-party component (Alibaba RDS MCP) becomes a permanent residual risk inside any agent that touches it. Vendor management and procurement need to ask MCP-specific questions about authentication, audit, and patch posture before approving new integrations.

PointGuard AI Perspective

The PointGuard MCP Security Gateway brokers every MCP tool call with per-agent identity, on-behalf-of delegation, and policy at the tool-call level, so an agent can reach Apache Doris only with the SQL operations its policy actually allows. The gateway also normalizes authentication across heterogeneous MCP servers, including ones like Alibaba RDS MCP that ship without it.

PointGuard AI Supply Chain Security scans the MCP server inventory across cloud platforms and GitHub, identifies vulnerable framework versions, and ties open-source components back to a knowledge base of known issues so a vulnerable Apache Doris MCP build is visible long before an agent calls it. Posture findings feed into AI Security Posture Management for ongoing remediation tracking against control frameworks.

The forward-looking message is that the MCP back-end is now a first-class attack surface, and it requires the same defense-in-depth posture that database administrators apply to direct connections. Gateway-mediated identity, fine-grained authorization, and continuous inventory together turn the Alibaba-class "won't fix" residual into a managed risk rather than an open door.

Incident Scorecard

Total AISSI Score: 6.8/10

Criticality: 8/10. Production database servers behind agent workloads typically hold regulated and operational data. AISSI weighting: 25%.

Propagation: 7/10. Issues recur across multiple database MCP projects and propagate through shared MCP patterns. AISSI weighting: 20%.

Exploitability: 5/10. Patches available for two of three; one vendor refuses to patch; no broad in-the-wild reports yet. AISSI weighting: 15%.

Supply Chain: 9/10. Heavy reliance on open-source and third-party MCP servers; one critical dependency is unpatched. AISSI weighting: 15%.

Business Impact: 5/10. No confirmed exfiltration disclosed; high potential exposure across analytics estates. AISSI weighting: 25%.

Sources

• Akamai security research: One is a fluke, three is a pattern
• The Register: Bug hunter tracks down three serious MCP database flaws and one vendor won't fix theirs
• NVD entry for CVE-2025-66335 (Apache Doris MCP SQL injection)