SQL Injection Vulnerability in Apache Doris MCP Server
CVE-2025-66336

Currently unrated

Key Information:

Vendor: Apache
Status: Apache Doris Mcp Server
Vendor: CVE Published:; 22 June 2026

What is CVE-2025-66336?

A vulnerability exists in Apache Doris MCP Server where user-controlled database names can be injected into SQL queries without proper authorization checks. This flaw can enable attackers to access metadata that should otherwise be restricted. Both authenticated and unauthenticated users may exploit this vulnerability, particularly if authentication settings are misconfigured. It is crucial for users to upgrade to Doris version 0.6.1 or later to mitigate this risk.

Affected Version(s)

Apache Doris MCP Server 0.1.0 < 0.6.1

References

https://lists.apache.org/thread/4l4v3m7ofwrgp4s4s98pjb5l0...

vendor-advisory

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 22, 2026
Vulnerability Reserved
Nov 27, 2025

Credit

cherno.x.

CVE-2025-66336 Data

JSON