Skills
Akamai 'One Is a Fluke, 3 Is a Pattern': SQL Injection, Metadata Exfiltration, and Instance Takeover Across Three Major MCP Database Servers
Akamai security research found classic vulnerability classes in three MCP database servers: CVE-2025-66335 SQL injection in Apache Doris MCP (unvalidated db_name parameter in exec_query), sensitive metadata exfiltration in Alibaba RDS MCP, and unauthenticated instance takeover in Apache Pinot MCP. Alibaba declined to patch. Apache issued a fix for Doris. Full research and the automated vulnerability-finding tool will be presented at x33fcon in June 2026.
↳ Follow the thread