CVE-2025-66336 · Symaro Security Advisory

Description

Apache Doris MCP Server contains a SQL injection vulnerability in a metadata query path. A user-controlled database name is directly interpolated into a SQL query, and the query is executed without passing the caller's authorization context. This may allow an authenticated attacker, or an anonymous attacker if authentication is disabled, to bypass SQL security validation and access metadata outside the intended database scope. Affected users are recommended to upgrade to Doris version 0.6.1 or later, which fixes the issue.

Weaknesses

CWE-89 — CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Affected products

Vendor	Product	Versions
Apache Software Foundation	Apache Doris MCP Server	0.1.0 to <0.6.1

References

https://lists.apache.org/thread/4l4v3m7ofwrgp4s4s98pjb5l03fcrzo2 (vendor-advisory)
http://www.openwall.com/lists/oss-security/2026/06/22/1

Authoritative sources

This page is a snapshot. For the latest enrichment and updates, view the record on CVE.org or the NVD.

Generated from the official CVE List on 22 Jun 2026 14:43 UTC.