CVE-2025-66336 Overview
CVE-2025-66336 is a SQL injection vulnerability [CWE-89] in the Apache Doris MCP Server. A user-controlled database name is directly interpolated into a SQL query within a metadata query path. The server executes the resulting query without passing the caller's authorization context, bypassing SQL security validation.
An authenticated attacker can exploit this flaw to access metadata outside the intended database scope. If authentication is disabled on the MCP Server, an anonymous attacker can trigger the same behavior. The Apache Doris project recommends upgrading to Doris version 0.6.1 or later, which contains the fix.
Critical Impact
Attackers can bypass SQL security validation and read metadata across databases they should not access, exposing schema details and sensitive structural information.
Affected Products
- Apache Doris MCP Server versions prior to 0.6.1
- Deployments exposing the MCP metadata query path to network clients
- Instances running with authentication disabled (highest exposure)
Discovery Timeline
- 2026-06-22 - CVE-2025-66336 published to NVD
- 2026-06-22 - Apache mailing list and Openwall OSS-Security advisories published
- 2026-06-22 - Last updated in NVD database
Technical Details for CVE-2025-66336
Vulnerability Analysis
The Apache Doris MCP Server exposes a metadata query path that accepts a database name from the caller. The handler concatenates this value directly into a SQL statement instead of using parameterized queries or strict identifier validation. As a result, the database name parameter becomes an injection point.
The second defect compounds the first. When the constructed query executes, the server does not propagate the caller's authorization context to the underlying engine. Doris cannot evaluate row-level or object-level access controls against the requester because the identity is missing from the execution path.
Together, these issues allow an attacker to craft a database name value that alters the query structure and returns metadata from databases the caller is not entitled to view. The vulnerability is classified under CWE-89: Improper Neutralization of Special Elements used in an SQL Command.
Root Cause
The root cause is direct string interpolation of an untrusted identifier into a SQL query combined with an execution path that omits the caller's authorization context. The MCP Server treats the metadata query as a privileged internal operation rather than a request bound to the original user's permissions.
Attack Vector
The attack is performed over the network against the MCP Server endpoint. The attacker submits a metadata request with a malicious database name value. Where authentication is enforced, any valid low-privilege account is sufficient. Where authentication is disabled, no credentials are required.
No verified proof-of-concept code has been published. Refer to the Apache Mailing List Thread and the Openwall OSS-Security Update for the vendor's technical description.
Detection Methods for CVE-2025-66336
Indicators of Compromise
- MCP Server request logs containing SQL metacharacters (', --, ;, /*, UNION) inside the database name parameter
- Metadata queries returning rows for databases the calling principal does not own or have grants on
- Spikes in metadata or INFORMATION_SCHEMA-style queries from a single MCP client session
Detection Strategies
- Inspect Doris query audit logs for metadata statements where the database identifier does not match the authenticated user's permitted scope
- Alert on metadata queries originating from the MCP Server process that bypass the normal authorization callback
- Correlate MCP Server access logs with Doris backend query logs to identify identity propagation gaps
Monitoring Recommendations
- Enable verbose audit logging on the Doris frontend and forward to a central SIEM for retention and search
- Monitor MCP Server network exposure and flag instances reachable from untrusted networks or running without authentication
- Track Doris version inventory and flag any host still running a release earlier than 0.6.1
How to Mitigate CVE-2025-66336
Immediate Actions Required
- Upgrade Apache Doris MCP Server to version 0.6.1 or later, which removes the unsafe interpolation and enforces authorization context propagation
- Verify that authentication is enabled on every MCP Server instance and disable anonymous access
- Restrict network reachability of the MCP Server endpoint to trusted application tiers using firewall or service mesh policy
Patch Information
The Apache Doris project fixed CVE-2025-66336 in Doris version 0.6.1. The fix removes direct interpolation of the database name into the metadata SQL query and ensures the caller's authorization context is applied during execution. Patch details are documented in the Apache Mailing List Thread.
Workarounds
- Disable or block the MCP Server metadata query endpoint until patching is complete
- Remove anonymous access and require authenticated MCP clients with least-privilege accounts
- Place a reverse proxy or API gateway in front of the MCP Server to filter requests containing SQL metacharacters in identifier fields
# Verify the running Doris MCP Server version and upgrade if below 0.6.1
doris-mcp-server --version
# Example: upgrade procedure (replace with your package manager / deployment tool)
# 1. Stop the service
systemctl stop doris-mcp-server
# 2. Install version 0.6.1 or later from the official Apache release
# 3. Restart and confirm
systemctl start doris-mcp-server
doris-mcp-server --version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

