TECH NEWS

Bug hunter tracks down three serious MCP database flaws, one left unpatched

https://image.theregister.com/5239946.jpg?imageId=5239946&x=0&y=0&cropw=100&croph=100&panox=0&panoy=0&panow=100&panoh=100&width=1200&height=683

Bug hunter tracks down three massive MCP flaws and one vendor won't fix theirs

Apache, Alibaba databases vulnerable and only one has a patch

Security vulnerabilities in MCP servers for three popular database projects could let attackers execute unintended SQL statements on Apache Doris, exfiltrate sensitive metadata from Alibaba RDS, and potentially take over Apache Pinot instances exposed to the internet. Alibaba, meanwhile, declined to patch its flaw.

Apache issued a patch and a CVE tracker for Doris MCP, and there’s an open ticket in the MCP Pinot Github repository for the flaw, we're told. However, Alibaba decided not to patch the vulnerability in RDS MCP, according to Akamai security analyst Tomer Peled, who wrote about the flaws on Tuesday and will present his full research next month at x33fcon.

MCP, or Model Context Protocol, is an open source protocol originally developed by Anthropic that allows LLMs, AI...

Copyright of this story solely belongs to theregister.com. To see the full text click HERE

Read more