“There is missing or faulty security validation between the MCP server and its back end,” Akamai security analyst Tomer Peled wrote, summing up a set of defects he found in MCP servers for three popular analytics databases.
What Peled discovered and why MCPs matter
Peled’s research, published this week and due for fuller presentation at x33fcon next month, examined MCP — the Model Context Protocol — an open source protocol originally developed by Anthropic that allows LLMs, AI applications, and agents to connect to external data, systems, and one another. He found multiple, distinct failures in how MCP servers validate input and authenticate clients, producing risks that range from SQL injection to metadata exfiltration and full database takeover.
CVE-2025-66335: Apache Doris MCP SQL injection
The first flaw Peled documented has already been fixed and assigned CVE-2025-66335. It affects Apache Doris MCP Server versions earlier than 0.6.1. According to Peled, the server’s exec_query function fails to validate the db_name parameter before constructing a SQL statement; that parameter is prepended to the final query and the server’s SQL validator only inspects the first portion of the statement. “As a result, any attacker that gains access to a client connected to the Doris MCP server can execute arbitrary commands on the victim’s Apache Doris instance,” Peled wrote. Apache issued a patch in December and opened a CVE tracker for the defect.
Apache Pinot and StarTree: unauthenticated MCP calls and an OAuth mitigation
The second issue affects Apache Pinot MCP (Pinot MCP v1.1.0 and earlier) and StarTree’s MCP integration for Pinot prior to v2.0.0. Peled reported that Pinot’s MCP endpoint uses HTTP as the transport layer without requiring authentication, enabling remote attackers who can reach the endpoint to invoke MCP tools used for SQL execution. “In environments where the MCP endpoint is reachable externally, this behavior allows unauthenticated attackers to execute queries against the Pinot instance, which can allow a full remote takeover of the database,” Peled wrote. StarTree has since added OAuth as an authentication option when using HTTP, which Peled says lowers the threat of SQL injection although the vulnerability remains in the code. Apache has opened a security issue in the MCP Pinot GitHub repository. Neither Apache nor StarTree responded to The Register’s requests for comment.
Alibaba RDS MCP: unauthenticated RAG calls and a vendor decision not to patch
The third and most contentious finding concerns Alibaba RDS MCP. Peled found that the server does not authenticate users before invoking the retrieval-augmented generation (RAG) MCP tool, which lets AI models connect with and query databases. “Any client able to reach the MCP endpoint can issue requests to the server without any query validation,” he wrote, and the vector index used by RAG may contain table names, schema definitions, or other potentially sensitive metadata that an unauthenticated attacker could exfiltrate. Peled reported the issue to Alibaba in November; according to him, Alibaba told him the issue is “not applicable” for a fix, and the vulnerability remains in the codebase. Akamai also reported Alibaba’s inaction to the CERT Coordination Center (CERT/CC). Alibaba did not respond to The Register’s inquiries.
What this means for technologists, affected enterprises, and CERT/CC
- Technologists and security teams: The three findings underscore specific technical failures — missing parameter validation, lack of authentication on HTTP endpoints, and unguarded RAG tools — that teams must inspect in MCP server deployments. For teams running Apache Doris, the patched CVE-2025-66335 points to a concrete remediation path; for Pinot users, StarTree’s OAuth option alters risk but does not eliminate the underlying code issue.
- Affected enterprises and procurement leaders: Organizations using Doris, Pinot, or Alibaba RDS MCP servers should assess exposure, particularly whether MCP endpoints are reachable externally. Peled’s work highlights that an MCP server placed between an AI agent and a production database can amplify risk by allowing agents (or attackers posing as agents) to issue SQL or RAG queries that reveal metadata or execute commands.
- CERT/CC and regulators: Akamai has already notified CERT/CC about Alibaba’s response. The difference in vendor reactions — Apache issuing a patch and CVE tracker, StarTree adding an OAuth option and Apache opening a GitHub issue, versus Alibaba declining to patch — creates a clear record that coordination bodies can use when prioritizing disclosure and mitigation guidance.
Peled concluded his write-up with a call that echoes through the three cases: “This means that more attention should be given not just to the specification but also to the best security practices guides when developing secure MCP servers.” The mixed vendor responses and the range of technical failures he catalogued leave a sharp question for operators and standards bodies alike — will MCP deployments converge on a shared security baseline, or will these validation and authentication gaps become recurring, high-value targets?
