Join the Cyber Forum: Threat Intel on May 12, 2026 to learn how AI is reshaping threat defense.Join the Virtual Cyber Forum: Threat IntelRegister Now
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • AI Data Pipelines
      Security Data Pipeline for AI SIEM and Data Optimization
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2026-33980

CVE-2026-33980: Azure Data Explorer MCP Server SQLi Flaw

CVE-2026-33980 is a KQL injection vulnerability in Azure Data Explorer MCP Server affecting versions up to 0.1.1. Attackers can execute arbitrary queries via unsanitized parameters. This article covers technical details, impact, and patches.

Published: April 2, 2026

CVE-2026-33980 Overview

A KQL (Kusto Query Language) injection vulnerability has been identified in Azure Data Explorer MCP Server, a Model Context Protocol (MCP) server that enables AI assistants to execute KQL queries and explore Azure Data Explorer (ADX/Kusto) databases through standardized interfaces. Versions up to and including 0.1.1 contain KQL injection vulnerabilities in three MCP tool handlers: get_table_schema, sample_table_data, and get_table_details. The table_name parameter is interpolated directly into KQL queries via f-strings without any validation or sanitization, allowing an attacker (or a prompt-injected AI agent) to execute arbitrary KQL queries against the Azure Data Explorer cluster.

Critical Impact

Attackers can execute arbitrary KQL queries against Azure Data Explorer clusters, potentially accessing, modifying, or exfiltrating sensitive data through unsanitized input parameters in AI assistant interfaces.

Affected Products

  • Azure Data Explorer MCP Server versions up to and including 0.1.1
  • Systems using affected MCP tool handlers (get_table_schema, sample_table_data, get_table_details)
  • AI assistants integrated with vulnerable ADX MCP Server instances

Discovery Timeline

  • 2026-03-27 - CVE CVE-2026-33980 published to NVD
  • 2026-03-30 - Last updated in NVD database

Technical Details for CVE-2026-33980

Vulnerability Analysis

This vulnerability is classified as CWE-943 (Improper Neutralization of Special Elements in Data Query Logic), a query injection flaw that allows attackers to manipulate database queries by injecting malicious input. The vulnerability exists in the Azure Data Explorer MCP Server's handling of the table_name parameter across multiple MCP tool handlers.

The affected handlers—get_table_schema, sample_table_data, and get_table_details—construct KQL queries by directly interpolating user-supplied input using Python f-strings. This approach bypasses any form of input validation or parameterized query mechanisms, creating a direct injection point for malicious KQL syntax.

In the context of AI assistants, this vulnerability becomes particularly dangerous as prompt injection attacks against the AI agent could lead to automated exploitation. An attacker could craft malicious prompts that cause the AI assistant to send specially crafted table names containing KQL injection payloads, effectively using the AI as an unwitting attack vector.

Root Cause

The root cause is improper input validation and the use of string interpolation (f-strings) to construct KQL queries. The table_name parameter is directly concatenated into query strings without sanitization, parameterization, or validation against allowed characters or table name patterns. This allows special KQL syntax and operators to be injected and executed as part of the query.

Attack Vector

The attack is conducted over the network, requiring low-privileged access to interact with the MCP server interface. An attacker can exploit this vulnerability by supplying a malicious table_name value that includes KQL query syntax. When the vulnerable handlers process this input, the injected KQL commands are executed against the Azure Data Explorer cluster with the privileges of the MCP server connection.

The attack surface is expanded when AI assistants are involved, as prompt injection techniques can manipulate the AI into constructing and sending malicious table name parameters without direct user intervention. This creates a scenario where even indirect interaction with the system could lead to exploitation.

Detection Methods for CVE-2026-33980

Indicators of Compromise

  • Unusual or malformed table name parameters in MCP server logs containing KQL operators or special characters
  • Unexpected KQL query patterns in Azure Data Explorer audit logs that deviate from normal table schema or sample data operations
  • Evidence of data exfiltration or unauthorized data access through ADX query logs
  • Anomalous query execution times or resource consumption indicating injected complex queries

Detection Strategies

  • Monitor Azure Data Explorer query logs for queries containing unexpected operators, functions, or multi-statement patterns originating from MCP server connections
  • Implement input validation logging to capture and alert on table name parameters containing special characters such as semicolons, pipes, or KQL keywords
  • Deploy application-level monitoring to detect f-string interpolation with user-controlled input in query construction patterns
  • Utilize SentinelOne Singularity Platform to detect anomalous process behavior and query patterns indicative of injection attacks

Monitoring Recommendations

  • Enable comprehensive audit logging on Azure Data Explorer clusters to capture all query activity
  • Configure alerts for queries accessing multiple tables or using administrative functions from MCP server service accounts
  • Implement real-time monitoring for AI assistant interactions that result in unusual database query patterns
  • Review MCP server access logs regularly for signs of prompt injection or manipulation attempts

How to Mitigate CVE-2026-33980

Immediate Actions Required

  • Update Azure Data Explorer MCP Server to a version containing commit 0abe0ee55279e111281076393e5e966335fffd30 or later
  • Audit existing deployments for signs of exploitation by reviewing Azure Data Explorer query logs
  • Implement network segmentation to limit access to MCP server endpoints
  • Temporarily disable or restrict access to the affected tool handlers (get_table_schema, sample_table_data, get_table_details) until patched

Patch Information

The vulnerability has been addressed in commit 0abe0ee55279e111281076393e5e966335fffd30. Organizations should update to a version containing this fix. For detailed patch information, refer to the GitHub Commit Update and the GitHub Security Advisory.

Workarounds

  • Implement a whitelist-based input validation layer that restricts table name parameters to alphanumeric characters and underscores only
  • Deploy a web application firewall (WAF) or API gateway with rules to block KQL injection patterns in request parameters
  • Use network-level access controls to restrict which clients can interact with the MCP server endpoints
  • Consider implementing parameterized query patterns at the application level as an additional defense layer
bash
# Example: Verify patched version is deployed
# Check the current commit hash of your deployment
cd /path/to/adx-mcp-server
git log --oneline -1
# Ensure output includes commit 0abe0ee or a later commit

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeSQLI
  • Vendor/TechAzure Data Explorer
  • SeverityHIGH
  • CVSS Score8.3
  • EPSS Probability0.05%
  • Known ExploitedNo
  • CVSS Vector
  • CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
  • Impact Assessment
  • ConfidentialityLow
  • IntegrityNone
  • AvailabilityLow
  • CWE References
  • CWE-943
  • Technical References
  • GitHub Commit Update
  • GitHub Security Advisory
  • Latest CVEs
  • CVE-2025-49454: TinySalt Path Traversal Vulnerability
  • CVE-2025-48261: MultiVendorX Information Disclosure Flaw
  • CVE-2025-32119: CardGate WooCommerce SQL Injection Flaw
  • CVE-2025-26879: s2Member Plugin Reflected XSS Vulnerability
Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English