Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2026/VULN403
_____________________________________________________________________

DATE                : 17/04/2026

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Apache Doris MCP Server versions
                                prior to 0.6.1.

=====================================================================
https://lists.apache.org/thread/kzw0xqmmw34f5cfj1b7v13mpwhm29d1p
_____________________________________________________________________

CVE-2025-66335: Apache Doris MCP Server: MCP SQL inject
Severity: moderate 

Affected versions:

- Apache Doris MCP Server 0.1.0 before 0.6.1

Description:

Apache Doris MCP Server versions earlier than 0.6.1 are affected by
an improper neutralization flaw in query context handling that may
allow execution of unintended SQL statements and bypass of intended
query validation and access restrictions through the MCP query
execution interface. Version 0.6.1 and later are not affected.

Credit:

Tomer Peled, Senior Security Researcher at Akamai (reporter)

References:

https://doris.apache.org
https://www.cve.org/CVERecord?id=CVE-2025-66335



=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================