CVE-2026-33980

March 27, 2026, 10:16 p.m.

8.3
High

Description

Azure Data Explorer MCP Server is a Model Context Protocol (MCP) server that enables AI assistants to execute KQL queries and explore Azure Data Explorer (ADX/Kusto) databases through standardized interfaces. Versions up to and including 0.1.1 contain KQL (Kusto Query Language) injection vulnerabilities in three MCP tool handlers: `get_table_schema`, `sample_table_data`, and `get_table_details`. The `table_name` parameter is interpolated directly into KQL queries via f-strings without any validation or sanitization, allowing an attacker (or a prompt-injected AI agent) to execute arbitrary KQL queries against the Azure Data Explorer cluster. Commit 0abe0ee55279e111281076393e5e966335fffd30 patches the issue.

Product(s) Impacted

Vendor Product Versions
Microsoft
  • Azure Data Explorer Mcp Server
  • <0.1.1

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-943
Improper Neutralization of Special Elements in Data Query Logic
The product generates a query intended to access or manipulate data in a data store such as a database, but it does not neutralize or incorrectly neutralizes special elements that can modify the intended logic of the query.

*CPE(s)

Affected systems and software identified for this CVE.

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
a microsoft azure_data_explorer_mcp_server <0.1.1 / / / / / / /

References

https://github.com/pab1it0/adx-mcp-server/commit/0abe0ee55279e111281076393e5e966335fffd30
https://github.com/pab1it0/adx-mcp-server/security/advisories/GHSA-vphc-468g-8rfp
https://github.com/pab1it0/adx-mcp-server/security/advisories/GHSA-vphc-468g-8rfp

Tags

[email protected]
CWE-943
2026-03-27
CVE-2026-33980

CVSS Score

8.3 / 10

CVSS Data - 3.1

  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Privileges Required: LOW
  • Scope: UNCHANGED
  • Confidentiality Impact: HIGH
  • Integrity Impact: HIGH
  • Availability Impact: LOW

    • CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L

    View Vector String

Timeline

Published: March 27, 2026, 10:16 p.m.
Last Modified: March 27, 2026, 10:16 p.m.

Status : Received

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

[email protected]

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.