Researcher finds three serious Model Context Protocol vulnerabilities, including a database exploit

Security researcher DeteAct disclosed three vulnerabilities in Model Context Protocol, or MCP, servers tied to database tooling on May 13, according to The Register. The report said the flaws could let attackers trigger unintended SQL on Apache Doris, pull metadata from Alibaba Cloud RDS and potentially seize control of internet-exposed Apache Pinot instances. The findings arrived as Anthropic expands MCP training and Thomson Reuters rolls out an MCP connection between Claude and its CoCounsel Legal product. MCP is a standard for connecting AI systems to tools and data sources, and its specification says the protocol itself cannot enforce security principles at the protocol level. The specification says implementers should build consent and authorization flows, document security implications and apply access controls and data protections. Anthropic’s public training catalog now includes “Introduction to Model Context Protocol” and “Model Context Protocol: Advanced Topics,” underscoring how quickly the ecosystem is moving from developer experiment to formal training material. (theregister.com) ### Which systems were reported as vulnerable? The Register said the three affected targets were MCP servers for Apache Doris, Alibaba Cloud RDS and Apache Pinot. The report said the Doris issue could allow execution of unintended SQL statements, the Alibaba Cloud RDS issue could expose sensitive metadata, and the Pinot issue could allow takeover of exposed instances. (modelcontextprotocol.io) The Register reported that only one of the three had a patch at publication and that one vendor would not fix its issue. The article attributed the findings to DeteAct, which it described as a bug hunter. ### Why does MCP security depend on more than the protocol itself? The MCP specification says authorization is provided at the transport level for HTTP-based deployments and frames MCP clients as OAuth clients making requests on behalf of resource owners. (theregister.com) A separate security tutorial on the official MCP site says authorization is meant to protect sensitive resources and operations exposed by MCP servers. Microsoft’s Azure App Service documentation says MCP server authorization controls access to the server but “doesn't provide granular control” over individual tools or other constructs. That leaves implementers to add narrower permissions, approval paths and monitoring around specific tool actions if they want tighter controls. ### Where is adoption accelerating despite those risks? (modelcontextprotocol.io) Anthropic’s Claude training site now offers structured MCP coursework, including introductory and advanced classes. The company’s learning materials place MCP alongside Claude API and Claude Code instruction, indicating it is being taught as a core part of the Claude development stack. Thomson Reuters said on May 12 that it had expanded its Anthropic partnership with a new MCP integration connecting Claude directly to CoCounsel Legal. (learn.microsoft.com) The company said legal professionals can move between Claude and citation-grounded legal workflows from either environment, and described the product as being in beta. (claude.com) ### What does the official guidance say enterprises should add? The official MCP site says enterprise-managed authorization is meant to let IT and security teams manage access policies centrally instead of relying on each employee to authorize each MCP server individually. The extension documentation says that user-by-user authorization can create friction and security gaps in enterprise settings. (thomsonreuters.com) Red Hat said in a March 2026 blog post that MCP servers should verify access tokens and enforce scope and role checks, while best-practices guidance collected by the MCP community recommends least-privilege defaults, read-only tools by default and audit built into the server. Those are implementation choices, not guarantees supplied automatically by the protocol. (modelcontextprotocol.io) ### What happens next for teams deploying MCP? The Register’s May 13 report said at least one vendor had not patched the flaw it described, leaving remediation uneven across the affected projects. That means platform teams adopting MCP for databases and other sensitive systems will need to track vendor fixes at the project level rather than assume the protocol itself closes the gap. (redhat.com) Anthropic’s MCP courses remain available on its Claude training site, and Thomson Reuters said its Claude-to-CoCounsel Legal MCP integration is in beta as of May 12. Those milestones give security teams two concrete places to watch next: the training material shaping new deployments and the vendor-specific products bringing MCP into production workflows. (claude.com) (theregister.com)