Description
A vulnerability was determined in designcomputer mysql-mcp-server up to 0.2.2. The impacted element is the function read_resource of the file src/mysql_mcp_server/server.py of the component mysql URI Handler. This manipulation of the argument uri_str causes sql injection. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized. Upgrading to version 0.3.0 is sufficient to resolve this issue. Patch name: 080bef9a96d625ce0dfbde573a08b93497871981. Upgrading the affected component is advised.
Published: 2026-06-08
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in the read_resource function of mysql-mcp-server’s server.py module. By manipulating the uri_str argument, an attacker can inject arbitrary SQL code into database requests. The injection flaw can be triggered remotely over the network and has already been publicly disclosed, indicating the availability of exploitation scripts or guidance.

Affected Systems

Designcomputer’s MySQL MCP Server is affected for all releases up to and including 0.2.2. The issue is resolved in release 0.3.0. Only versions prior to 0.3.0 that contain the legacy URI handler are vulnerable.

Risk and Exploitability

Because the flaw permits remote code execution on the SQL layer, the CVSS score of 5.3 reflects moderate impact, with no current EPSS data and no listing in the CISA KEV catalogue. An attacker can send a crafted request to the server’s URI endpoint, trigger the injection, and read, modify, or delete database information. The attack requires network access to the service and does not need elevated credentials on the target system.

Generated by OpenCVE AI on June 8, 2026 at 16:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade designcomputer MySQL MCP Server to version 0.3.0 or later to apply the vendor patch.
  • If an immediate upgrade is not possible, restrict network access to the MySQL MCP Server endpoint or use a WAF to block suspicious URI patterns that could carry SQL payloads.
  • Ensure that the uri_str input is properly validated or sanitized before use in SQL statements, implementing strict parameterization or whitelist checks.

Generated by OpenCVE AI on June 8, 2026 at 16:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 08 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 08 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
Description A vulnerability was determined in designcomputer mysql-mcp-server up to 0.2.2. The impacted element is the function read_resource of the file src/mysql_mcp_server/server.py of the component mysql URI Handler. This manipulation of the argument uri_str causes sql injection. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized. Upgrading to version 0.3.0 is sufficient to resolve this issue. Patch name: 080bef9a96d625ce0dfbde573a08b93497871981. Upgrading the affected component is advised.
Title designcomputer mysql-mcp-server mysql URI server.py read_resource sql injection
First Time appeared Designcomputer
Designcomputer mysql-mcp-server
Weaknesses CWE-74
CWE-89
CPEs cpe:2.3:a:designcomputer:mysql-mcp-server:*:*:*:*:*:*:*:*
Vendors & Products Designcomputer
Designcomputer mysql-mcp-server
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:OF/RC:C'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Designcomputer Mysql-mcp-server
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-06-08T16:26:36.609Z

Reserved: 2026-06-07T19:46:50.204Z

Link: CVE-2026-11529

cve-icon Vulnrichment

Updated: 2026-06-08T16:26:33.009Z

cve-icon NVD

Status : Deferred

Published: 2026-06-08T16:16:37.650

Modified: 2026-06-09T01:34:33.987

Link: CVE-2026-11529

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T08:57:04Z

Weaknesses
  • CWE-74

    Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')