Improper Access Control in Doris MCP Server by Apache
CVE-2025-58337

5.4MEDIUM

Key Information:

Vendor: Apache
Status: Apache Doris-mcp-server
Vendor: CVE Published:; 5 November 2025

What is CVE-2025-58337?

An access control vulnerability has been identified in Doris MCP Server, where a user with read-only privileges can bypass the intended restrictions. This flaw allows unauthorized modifications to be made to data that should only be accessible in a read-only format, compromising the integrity of the system. Operators are advised to upgrade to version 0.6.0 immediately to mitigate this security risk.

Affected Version(s)

Apache Doris-MCP-Server 0.1.0 < 0.6.0

References

https://lists.apache.org/thread/6tswlphj0pqn9zf25594r3c1v...

vendor-advisory

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 5, 2025
Vulnerability Reserved
Aug 29, 2025

Credit

Liran Tal, ([email protected])

JSON