CVE-2026-33980

Azure Data Explorer MCP Server, a Model Context Protocol (MCP) server that allows AI assistants to execute KQL queries and explore Azure Data Explorer (ADX/Kusto) databases via standardized interfaces, contains KQL injection vulnerabilities in versions up to and including 0.1.1. The flaws affect three MCP tool handlers—get_table_schema, sample_table_data, and get_table_details—where the table_name parameter is directly interpolated into KQL queries using f-strings without validation or sanitization. This enables attackers to inject and execute arbitrary KQL queries against the connected Azure Data Explorer cluster. The vulnerability is rated with a CVSS v3.1 base score of 8.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L) and is associated with CWE-943.

Attackers with low privileges (PR:L) can exploit this over the network with low complexity and no user interaction required. Exploitation occurs by supplying a malicious table_name value, potentially through direct access to the MCP server or via a prompt-injected AI agent interacting with the tools. Successful attacks allow arbitrary KQL query execution, enabling high confidentiality and integrity impacts such as data exfiltration, modification, or limited denial of service, depending on the attacker's permissions within the Azure Data Explorer cluster.

The patching commit 0abe0ee55279e111281076393e5e966335fffd30 addresses the issue by fixing the injection flaws in the affected handlers. Security practitioners should update to a version incorporating this commit, as detailed in the GitHub security advisory GHSA-vphc-468g-8rfp.

This vulnerability has particular relevance to AI/ML deployments, as it targets an MCP server designed for AI assistants, highlighting risks of prompt injection leading to database compromise in agentic AI workflows. No public evidence of real-world exploitation is available as of publication on 2026-03-27.