A critical SQL injection vulnerability in the Apache Doris MCP Server allows attackers to manipulate database queries, posing a significant risk to data integrity and confidentiality.

This vulnerability involves improper neutralization of special elements used in a SQL command within a metadata query path. Depending on the implementation, this flaw may be exploitable by an unauthenticated attacker to execute arbitrary SQL commands against the backend database.

The exploitation of this vulnerability could lead to unauthorized access to sensitive information, data exfiltration, or complete database compromise. With a CVSS score of 8.1, this is a High-severity issue that could result in significant operational disruption and loss of data integrity, necessitating immediate attention.

Immediate Action: Identify and apply the latest security patches provided by the vendor to address the SQL injection flaw.

Proactive Monitoring: Enable and review database query logs for anomalous patterns, such as unexpected syntax or unauthorized metadata access attempts.

Compensating Controls: Deploy a Web Application Firewall (WAF) with updated rulesets to inspect and block malicious SQL injection payloads targeting the metadata service.

Public Exploit Available: false

Given the High severity of this SQL injection vulnerability, organizations must prioritize patching the Apache Doris MCP Server. Failure to remediate could allow attackers to bypass security controls and compromise the integrity of the underlying database environment.