Three major security vulnerabilities have been identified in MCP servers that serve as an interface for AI agents to query and operate on popular databases from Apache and Alibaba. While Apache has issued patches for some issues, Alibaba has declined to address one critical flaw, underscoring alarming security gaps in the MCP ecosystem that threaten cloud infrastructure security and reliability.
- Apache patched a major SQL injection flaw in Doris MCP; Alibaba declined to fix RDS MSP issue.
- MCP servers lack robust authentication, exposing databases to remote takeover and data leaks.
- Teams must enhance validation, monitor exposed MCP endpoints, and apply or demand patches.
Infrastructure signal
MCP servers act as critical intermediaries connecting AI applications with backend databases, but recent flaws reveal significant deficiencies in authentication and input validation. Apache Doris MCP suffered from SQL injection vulnerabilities in database name parameters allowing attackers to run arbitrary commands on backend instances. Apache Pinot’s MCP endpoint was exposed without mandatory authentication over HTTP, enabling possible remote database takeovers. Meanwhile, Alibaba’s RDS MCP could be queried without validating user identity, creating an information disclosure risk that remains unpatched.
These vulnerabilities highlight fundamental risks in adopting MCP for AI-cloud database workflows. They directly impact cloud cost and reliability by opening pathways to unauthorized operations and potential disruption of database services. Until these security gaps are resolved comprehensively, risk of exploitation remains high, signaling caution for infrastructure teams integrating MCP-enabled AI into critical data workloads.
Developer impact
Developers leveraging MCP to integrate large language models and AI agents with databases must now prioritize security validation and patch management in their deployment pipelines. The discovered SQL injection flaws and authentication bypasses require swift adoption of patched versions or enhanced custom security controls, especially for MCP-to-database communication. Those using Apache Doris MCP should upgrade to version 0.6.1 or later; Pinot MCP users must ensure authentication mechanisms such as OAuth are enforced.
These vulnerabilities also emphasize the importance of secure development lifecycle practices for MCP tools and related agent applications. Developers need heightened observability into query traffic, parameter sanitization, and endpoint access control to prevent exploitation. Failure to rigorously vet and update MCP components can result in data breaches, service interruptions, and elevated cloud infrastructure costs due to incident remediation.
What teams should watch
Infrastructure and security teams must monitor MCP endpoints exposed to public or semi-public networks closely, validating access policies, authentication layers, and database-level permissions. Given Alibaba’s refusal to patch its RDS MCP vulnerability, teams relying on this platform should consider compensating controls such as network isolation or proxy authentication until an official fix is available. Additionally, tracking open issues and updates in the MCP repositories for Apache Doris and Pinot is critical to stay current on mitigation efforts.
Observability into unusual query patterns and failed authorization attempts at the MCP layer is essential to detect early attack attempts. Teams should incorporate automated scans for known MCP vulnerabilities in their developer workflows and CI/CD pipelines. Finally, cross-team communication between developer security, cloud operations, and platform engineering should be prioritized to rapidly disseminate MCP vulnerabilities impact and recommended response actions.