CVE-2025-66336

HIGH

Apache Doris MCP Server: SQL injection leading the authentication bypass

Title source: cna

Description

Apache Doris MCP Server contains a SQL injection vulnerability in a metadata query path. A user-controlled database name is directly interpolated into a SQL query, and the query is executed without passing the caller's authorization context. This may allow an authenticated attacker, or an anonymous attacker if authentication is disabled, to bypass SQL security validation and access metadata outside the intended database scope. Affected users are recommended to upgrade to Doris version 0.6.1 or later, which fixes the issue.

References (2)

Core 2

Core References

Vendor Advisory vendor-advisory

https://lists.apache.org/thread/4l4v3m7ofwrgp4s4s98pjb5l03fcrzo2

Mailing List

http://www.openwall.com/lists/oss-security/2026/06/22/1

Scores

CVSS v3 8.1

EPSS 0.0034

EPSS Percentile 25.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-89

Status published

Products (1)

Apache Software Foundation/Apache Doris MCP Server 0.1.0 - 0.6.1

Published Jun 22, 2026

Tracked Since Jun 22, 2026