CVE-2026-14471
Amazon · MCP Gateway & Registry
The metrics-service component in Amazon MCP Gateway & Registry is vulnerable to SQL injection within its retention policy management functionality.
Executive summary
A critical SQL injection vulnerability in Amazon MCP Gateway & Registry allows authenticated attackers to manipulate database queries and potentially compromise data integrity.
Vulnerability
This vulnerability is a SQL injection (CWE-89) flaw residing in the metrics-service retention policy management component. An authenticated attacker can supply malicious input to the affected parameters, leading to unauthorized SQL command execution.
Business impact
The ability to inject SQL commands into the backend database poses a severe risk to data confidentiality and integrity. With a CVSS score of 8.1, this high-severity flaw could allow an attacker to exfiltrate sensitive registry data or modify retention policies, potentially leading to unauthorized data deletion or service disruption.
Remediation
Immediate Action: Upgrade to version 1.0.13 or later as specified in the vendor security bulletin.
Proactive Monitoring: Inspect application logs for unusual SQL syntax or unexpected database queries originating from the metrics-service component.
Compensating Controls: Implement strict input validation and parameterized queries at the application layer, or utilize a Web Application Firewall (WAF) to filter malicious SQL patterns.
Exploitation status
Public Exploit Available: false
Analyst recommendation
The presence of a high-severity SQL injection vulnerability necessitates immediate attention. Administrators should prioritize updating the MCP Gateway & Registry to version 1.0.13 to neutralize the injection vector and secure the underlying database infrastructure against unauthorized access.