Database MCP Back-End Failures: SQL Injection, Auth Bypass, and an Unpatched Alibaba Disclosure
Three popular database MCP servers shipped with the same class of failure: no validation between the MCP endpoint and the back end. Akamai researcher Tomer Peled found SQL injection in Apache Doris MCP (CVE-2025-66335), an authentication bypass enabling full database takeover in Apache Pinot MCP, and unauthenticated metadata exposure in Alibaba's RDS MCP RAG tool. Apache patched Doris. StarTree added an optional OAuth layer to Pinot. Alibaba told Akamai the issue was not applicable for a fix.
What happened
Akamai's Tomer Peled surveyed MCP servers built as AI-to-database bridges and found the same failure mode in three separate projects: the MCP layer passes tool arguments directly to back-end query engines without authentication or input validation.
In Apache Doris MCP (versions before 0.6.1), the exec_query function accepts five parameters. Only four get validated. The fifth, db_name, is prepended directly to the SQL query string. The validator then inspects the beginning of the assembled query, which contains the attacker's directive rather than the intended operation. Any client that can reach the MCP endpoint can execute arbitrary SQL on the Doris instance. This is CVE-2025-66335.
Apache Pinot MCP (StarTree integration, versions up to 1.1.0) binds its HTTP transport on 0.0.0.0:8080 with no authentication at all. Any attacker who can reach that port can invoke MCP tools including SQL query execution. Peled wrote that in externally reachable environments this allows full remote takeover of the database. StarTree has since added OAuth as an option, but the underlying SQL injection path in the code was not removed.
Alibaba RDS MCP's RAG tool, implemented via FastMCP, listens on 0.0.0.0:8006 without authentication. A reachable attacker can invoke the tool and receive vector index data containing table names, schema definitions, and other metadata without any credentials. Akamai reported this to Alibaba in November 2025. Alibaba's response: the issue is not applicable for a fix. Akamai subsequently reported Alibaba's inaction to CERT/CC.
The PolicyLayer angle
These three vulnerabilities share an architecture: an MCP server with network-accessible tools that accept attacker-controlled parameters and pass them to a privileged back-end without any independent authorisation check. The fix pattern is equally consistent: deny-by-default transport binding, per-tool authentication requirements enforced at the MCP layer before any back-end call, and parameter allowlists or parameterised query construction that treat every tool argument as untrusted input.
For the Alibaba case specifically, a policy gate that requires an authenticated session before any MCP tool invocation would have made the metadata exposure impossible regardless of the server's own inaction. The Pinot case illustrates why binding to 0.0.0.0 without authentication is never a safe default for a tool surface with database write access. Each tool that touches a query engine should require an explicit, narrowly scoped credential rather than inheriting ambient connectivity.
Peled's broader observation holds: no baseline security specification for MCP servers existed at the time of research. Until one is enforced at the ecosystem level, the policy layer between agent and server is the only reliable place to catch servers that skipped authentication entirely.
Mitigations
Upgrade Apache Doris MCP Server to 0.6.1 or later. For Apache Pinot MCP, enable the OAuth authentication option added by StarTree and restrict the HTTP transport to authenticated networks; the underlying SQL injection has not been fully remediated in code. For Alibaba RDS MCP, no vendor patch is available; restrict the RAG MCP endpoint to trusted internal networks and block external access to port 8006. In all three cases, prefer stdio transport over HTTP where possible to eliminate network-reachable attack surface.
FAQs
Alibaba RDS MCP's RAG tool listens on 0.0.0.0 with no authentication by default. Any deployment where this port is network-reachable is permanently exposed because no vendor fix is coming. Organisations running this server need to add network controls themselves or accept that the metadata their AI agents query is accessible to anyone on the same network.
Yes. The exec_query tool is reachable via the MCP endpoint without authentication on default deployments. An attacker who can reach the endpoint can inject arbitrary SQL through the db_name parameter. Upgrade to 0.6.1 immediately.
No. StarTree added OAuth as an authentication option, which prevents unauthenticated tool invocation when enabled. However, the underlying SQL injection in the code path was not removed. Enabling OAuth is necessary but does not fully close the injection vector.