MCP Back-End Vulnerabilities: classic flaws resurface across AI database bridges
Akamai's May 12, 2026 research found SQL injection (CVE-2025-66335), missing authentication, and unsanitised inputs across three MCP servers — Apache Doris, Apache Pinot, and Alibaba RDS. The pattern, not the bugs, is the story.
What is this?
On May 12, 2026, Akamai’s Tomer Peled published One Is a Fluke, 3 Is a Pattern: MCP Back-End Vulnerabilities, a coordinated disclosure covering three flaws found across roughly 300 official Model Context Protocol (MCP) servers. The research surfaced CVE-2025-66335 (SQL injection in Apache Doris MCP, assigned January 7, 2026, patched December 30, 2025), an unauthenticated SQL execution path in StarTree’s Apache Pinot MCP server (versions ≤ 1.1.0), and an information-disclosure flaw in Alibaba’s RDS MCP (RAG component) that Alibaba has declined to fix.
The bugs themselves are textbook: missing input validation, missing authentication on an HTTP transport, and an unauthenticated RAG endpoint exposing schema metadata. What makes the report worth reading is the pattern. MCP, the open protocol Anthropic introduced in 2024 to let LLMs talk to external systems, leaves nearly every back-end security decision — authentication, credential handling, privilege scope, query validation — up to the implementer. The three servers Akamai broke are not outliers; they are samples.
How it works
MCP servers sit between an AI agent and a back-end system (here, a database). Each server exposes “tools” the model can invoke, and each server decides on its own how to authenticate the caller and how to validate the parameters before talking to the back end.
CVE-2025-66335 — SQL injection in Apache Doris MCP. Doris MCP wraps a Security Manager that authenticates a JWT, assigns a clearance level, and runs a SQL validator. The internal call shape:
async def exec_query_for_mcp(
self,
sql: str,
db_name: str = None,
catalog_name: str = None,
max_rows: int = 100,
timeout: int = 30
) -> Dict[str, Any]:
# Five parameters, but only `sql` is sent to the validator.
# `db_name` is concatenated into the final query unchanged.The validator parses the sql argument and stops there. The db_name parameter — also concatenated into the final query — is never sanitised. Any client connected to the MCP server can therefore pass db_name values containing semicolons, comments, or full statements and execute arbitrary SQL against the Doris instance. The validator’s habit of only inspecting the first portion of the parsed statement amplifies the issue. Apache patched in v0.6.1 (December 30, 2025); the CVE was assigned January 7, 2026.
Apache Pinot MCP — authentication validation bypass. StarTree’s Pinot integration (≤ 1.1.0) supports an HTTP transport bound to 0.0.0.0:8080. When HTTP is enabled, the server does not require authentication, and the bundled “validator” only checks that the query string starts with SELECT:
# Illustrative — paraphrased from the disclosure.
if path == server_config.endpoint and method == "POST":
await transport.handle_post_message(scope, receive, send)
# No auth check before tool invocation.
# Validator: query.upper().startswith("SELECT")Any remote attacker who can reach the endpoint can issue arbitrary SELECT-based queries — enough for full data exfiltration and, combined with concatenation tricks, broader takeover. StarTree added OAuth as an authentication option on October 14, 2025, which lowers severity for properly configured deployments but does not remove the underlying SQL-validation gap.
Alibaba RDS MCP — unauthenticated RAG endpoint. Alibaba’s RDS MCP bundles a FastMCP RAG component listening on 0.0.0.0:8006, exposing a single tool get_table_struct that does a vector similarity search over an internal index of table schemas. No authentication, no query validation: any client able to reach the endpoint can dump schema metadata that may contain table names, column structures, and other operational fingerprinting. Alibaba marked the issue “not applicable” for a fix; Akamai escalated to CERT/CC on November 25, 2025.
Why it matters
Three observations make this disclosure useful beyond the individual bugs.
First, MCP inherits classical web vulnerabilities and amplifies them. SQL injection in a stand-alone database admin tool is bounded by who can reach the tool. SQL injection in an MCP server is reachable from anything that can talk to the agent — including, in some deployments, prompt-injected content arriving through a different channel entirely. The exposure surface stretches with each new connector.
Second, the protocol’s flexibility is the vulnerability class. MCP deliberately leaves back-end security decisions to implementers. That choice is reasonable for protocol design but consequential in practice: Akamai’s review of the official server set found wide variance in authentication, authorisation, and parameter handling. The OWASP GenAI Security Project published a Practical Guide for Secure MCP Server Development — but adoption lags the pace of deployment.
Third, declining to patch is a policy choice with downstream consequences. Alibaba’s “not applicable” verdict on RDS MCP means a vector index of customer schema metadata stays reachable without authentication for any operator who deploys the official server unchanged. End users carrying that integration into production inherit the decision.
Defenses
The Akamai write-up and the OWASP guide converge on a small set of controls. None is sufficient alone, but together they neutralise the published class.
- Require authentication at the transport layer. Any MCP server bound to a network interface beyond
localhostmust require authentication before exposing tools. Treat the bare HTTP transport (0.0.0.0:8080,0.0.0.0:8006) as a critical-severity misconfiguration, regardless of how “internal” the network feels. - Validate every parameter on the server side. Validators that only inspect one argument out of five (Doris) or that only check whether a query starts with
SELECT(Pinot) are checkboxes, not controls. Use parameterised queries or query builders that cannot concatenate untrusted strings into the final SQL. - Apply least privilege on the back-end credentials. The MCP service account should hold only the rights the exposed tools require: read-only on the specific tables in scope, no DDL, no cross-schema reach. A successful SQL injection against a least-privileged account is contained by the schema; against an admin account it is total.
- Audit the official MCP server you ship. Vendor-published MCP servers are not implicitly safe. Read the authentication code, read the transport binding, read the parameter handling, and pin to a known-patched version. For Doris specifically: upgrade to v0.6.1 or later (the patch for CVE-2025-66335). For Pinot: enable OAuth and consider blocking the HTTP transport. For Alibaba RDS MCP: do not expose the RAG endpoint beyond authenticated, trusted networks.
- Network-segment the MCP server. Even with authentication, a database-facing MCP server should sit behind the same network controls as the database itself. If your database is not directly internet-exposed, neither should be the MCP server that fronts it.
- Treat MCP tool parameters as user input. The model is not your input validator. Any string the model passes to a tool is, from the back end’s perspective, attacker-controlled — because the model may be reading attacker-controlled context. Validate at the tool boundary, every time.
Status
| Item | Reference | Date | Notes |
|---|---|---|---|
| Pinot disclosure (StarTree) | Akamai timeline | 2025-09-30 | Vendor contacted |
| Pinot mitigation (OAuth added) | StarTree | 2025-10-14 | Lowers severity, does not close SQLi class |
| Alibaba RDS MCP disclosure | Akamai timeline | 2025-11-17 | Vendor contacted |
| Alibaba declines to patch | Akamai timeline | 2025-11-25 | CERT/CC escalation initiated |
| Doris MCP disclosure | Akamai timeline | 2025-11-27 | Apache contacted |
| Doris patch (v0.6.1) | Apache | 2025-12-30 | Validates db_name |
| CVE-2025-66335 assigned | NVD | 2026-01-07 | SQL injection (CWE-89) |
| Pinot MCP public issue opened | GitHub | 2026-05-04 | Coordinated public step |
| Akamai write-up | Akamai blog | 2026-05-12 | Full research, with tool to surface similar bugs |
| The Register coverage | The Register | 2026-05-13 | Independent reporting |
| Full research presentation | x33fcon | 2026-06 (scheduled) | Tooling expected to be released |
The disclosure’s enduring contribution is not the three CVE-class issues — those will be patched, ignored, or worked around case by case. It is the demonstration that the MCP server tier is a fresh attack surface inheriting decades of unsolved back-end security problems, dressed up in new tooling and deployed faster than the security guidance can spread. The next wave of MCP integrations will repeat the pattern unless authentication, validation, and least privilege are designed in from the connector’s first commit.
Sources
- → https://www.akamai.com/blog/security-research/one-fluke-3-pattern-mcp-back-end-vulnerabilities
- → https://nvd.nist.gov/vuln/detail/CVE-2025-66335
- → https://github.com/advisories/GHSA-qhfq-gvvc-5q6q
- → https://www.theregister.com/security/2026/05/13/bug-hunter-tracks-down-three-serious-mcp-database-flaws-one-left-unpatched/5238916
- → https://genai.owasp.org/resource/a-practical-guide-for-secure-mcp-server-development/