Description
Azure Data Explorer MCP Server is a Model Context Protocol (MCP) server that enables AI assistants to execute KQL queries and explore Azure Data Explorer (ADX/Kusto) databases through standardized interfaces. Versions up to and including 0.1.1 contain KQL (Kusto Query Language) injection vulnerabilities in three MCP tool handlers: `get_table_schema`, `sample_table_data`, and `get_table_details`. The `table_name` parameter is interpolated directly into KQL queries via f-strings without any validation or sanitization, allowing an attacker (or a prompt-injected AI agent) to execute arbitrary KQL queries against the Azure Data Explorer cluster. Commit 0abe0ee55279e111281076393e5e966335fffd30 patches the issue.
Published: 2026-03-27
Score: 8.3 High
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary KQL query execution leading to unauthorized data access
Action: Immediate Patch
AI Analysis

Impact

The vulnerability lies in the MCP server’s handling of the table_name parameter, which is directly interpolated into KQL queries via f‑strings without sanitization. This flaw allows an attacker or a maliciously prompted AI assistant to inject arbitrary KQL code, granting the ability to read, modify, or delete data in the Azure Data Explorer cluster. The weakness is a classic command injection, specifically CWE‑943, and can have serious confidentiality and integrity consequences.

Affected Systems

The affected product is the adx‑mcp‑server maintained by pab1it0. Versions up to and including 0.1.1 are vulnerable; any installation using those releases should be considered at risk.

Risk and Exploitability

With a CVSS score of 8.3 the vulnerability is classified as high severity. The EPSS score is not available, and the flaw has not yet been listed in the CISA KEV catalog. The likely attack vector is through legitimate MCP client traffic or an AI assistant that is given control of the client; the attacker need not have prior credentials beyond the ability to send MCP requests.

Generated by OpenCVE AI on March 28, 2026 at 05:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the MCP server to a version newer than 0.1.1, applying the patch referenced in commit 0abe0ee55279e111281076393e5e966335fffd30.
  • Restrict network access to the MCP server so that only trusted clients can communicate with it.
  • Implement input validation or parameterization in any custom MCP handlers to ensure that table names cannot be maliciously crafted.
  • Monitor MCP traffic and audit KQL logs for anomalous query patterns.

Generated by OpenCVE AI on March 28, 2026 at 05:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-vphc-468g-8rfp Azure Data Explorer MCP Server: KQL Injection in multiple tools allows MCP client to execute arbitrary Kusto queries
History

Wed, 22 Apr 2026 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Pab1it0 azure Data Explorer Mcp Server
CPEs cpe:2.3:a:pab1it0:azure_data_explorer_mcp_server:*:*:*:*:*:*:*:*
Vendors & Products Pab1it0 azure Data Explorer Mcp Server

Mon, 30 Mar 2026 07:15:00 +0000

Type Values Removed Values Added
First Time appeared Pab1it0
Pab1it0 adx-mcp-server
Vendors & Products Pab1it0
Pab1it0 adx-mcp-server

Sat, 28 Mar 2026 03:15:00 +0000

Type Values Removed Values Added
Description Azure Data Explorer MCP Server is a Model Context Protocol (MCP) server that enables AI assistants to execute KQL queries and explore Azure Data Explorer (ADX/Kusto) databases through standardized interfaces. Versions up to and including 0.1.1 contain KQL (Kusto Query Language) injection vulnerabilities in three MCP tool handlers: `get_table_schema`, `sample_table_data`, and `get_table_details`. The `table_name` parameter is interpolated directly into KQL queries via f-strings without any validation or sanitization, allowing an attacker (or a prompt-injected AI agent) to execute arbitrary KQL queries against the Azure Data Explorer cluster. Commit 0abe0ee55279e111281076393e5e966335fffd30 patches the issue.
Title Azure Data Explorer MCP Server: KQL Injection in multiple tools allows MCP client to execute arbitrary Kusto queries
Weaknesses CWE-943
References
Metrics cvssV3_1

{'score': 8.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Subscriptions

Pab1it0 Adx-mcp-server Azure Data Explorer Mcp Server
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-27T21:56:16.579Z

Reserved: 2026-03-24T22:20:06.210Z

Link: CVE-2026-33980

cve-icon Vulnrichment

Updated: 2026-03-27T21:56:12.790Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-27T22:16:22.607

Modified: 2026-04-22T14:38:22.487

Link: CVE-2026-33980

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-30T06:59:59Z

Weaknesses