CVE-2025-66335

MEDIUM 5.3

Apache Doris MCP Server: MCP SQL inject

CVSS Score

5.3

EPSS Score

0.0%

EPSS Percentile

0th

Apache Doris MCP Server versions earlier than 0.6.1 are affected by an improper neutralization flaw in query context handling that may allow execution of unintended SQL statements and bypass of intended query validation and access restrictions through the MCP query execution interface. Version 0.6.1 and later are not affected.

CWE	CWE-89
Vendor	apache software foundation
Product	apache doris mcp server
Published	Apr 20, 2026
Last Updated	Apr 20, 2026

Stay Ahead of the Next One

Get instant alerts for apache software foundation apache doris mcp server

Be the first to know when new medium vulnerabilities affecting apache software foundation apache doris mcp server are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

Apache Software Foundation / Apache Doris MCP Server

0.1.0 < 0.6.1

References

NVD ↗ CVE.org ↗ EPSS Data ↗

lists.apache.org: https://lists.apache.org/thread/odp0fyyst8kxm7hhm9z4d1snh1y4hjpy openwall.com: http://www.openwall.com/lists/oss-security/2026/04/17/4

Credits

🔍 Tomer Peled, Senior Security Researcher at Akamai