CVE-2025-66335: Apache Doris MCP Server vulnerable to SQL Injection via improper query context neutralization

April 20, 2026 (updated April 24, 2026)

Apache Doris MCP Server versions prior to 0.6.1 are affected by an improper neutralization flaw in query context handling that may allow execution of unintended SQL statements and bypass of intended query validation and access restrictions through the MCP query execution interface. Versions 0.6.1 and later are not affected.

References

github.com/advisories/GHSA-qhfq-gvvc-5q6q
github.com/apache/doris-mcp-server
github.com/apache/doris-mcp-server/releases/tag/0.6.1
lists.apache.org/thread/odp0fyyst8kxm7hhm9z4d1snh1y4hjpy
nvd.nist.gov/vuln/detail/CVE-2025-66335

Code Behaviors & Features

Detect and mitigate CVE-2025-66335 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →