oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

CVE-2025-58337: Apache Doris-MCP-Server: Improper Access Control results in bypassing a "read-only" mode for doris-mcp-server MCP Server

From: Mingyu Chen <morningman () apache org>
Date: Tue, 04 Nov 2025 12:37:33 +0000
Severity: moderate 

Affected versions:

- Apache Doris-MCP-Server 0.1.0 before 0.6.0

Description:

An attacker with a valid read-only account can bypass Doris MCP Server’s read-only mode due to improper access control, 
allowing modifications that should have been prevented by read-only restrictions.


Impact:

Bypasses read-only mode; attackers with read-only access may perform unauthorized modifications.




Recommended action for operators: Upgrade to version 0.6.0 as soon as possible (this release contains the fix).

Credit:

Liran Tal, (liran () lirantal com) (finder)

References:

https://doris.apache.org
https://www.cve.org/CVERecord?id=CVE-2025-58337
Previous By Date Next
Previous By Thread Next

Current thread: