CVE-2026-33980
Received Received - Intake
KQL Injection in Azure Data Explorer MCP Server Enables Arbitrary Queries

Publication date: 2026-03-27

Last updated on: 2026-04-22

Assigner: GitHub, Inc.

Description
Azure Data Explorer MCP Server is a Model Context Protocol (MCP) server that enables AI assistants to execute KQL queries and explore Azure Data Explorer (ADX/Kusto) databases through standardized interfaces. Versions up to and including 0.1.1 contain KQL (Kusto Query Language) injection vulnerabilities in three MCP tool handlers: `get_table_schema`, `sample_table_data`, and `get_table_details`. The `table_name` parameter is interpolated directly into KQL queries via f-strings without any validation or sanitization, allowing an attacker (or a prompt-injected AI agent) to execute arbitrary KQL queries against the Azure Data Explorer cluster. Commit 0abe0ee55279e111281076393e5e966335fffd30 patches the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-27
Last Modified
2026-04-22
Generated
2026-05-07
AI Q&A
2026-03-28
EPSS Evaluated
2026-05-05
NVD
CVE-2026-33980
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
pab1it0 azure_data_explorer_mcp_server to 0.1.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-943 The product generates a query intended to access or manipulate data in a data store such as a database, but it does not neutralize or incorrectly neutralizes special elements that can modify the intended logic of the query.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in Azure Data Explorer MCP Server versions up to and including 0.1.1. It involves KQL (Kusto Query Language) injection in three MCP tool handlers: get_table_schema, sample_table_data, and get_table_details. The issue arises because the table_name parameter is directly inserted into KQL queries using f-strings without any validation or sanitization. This allows an attacker or a prompt-injected AI agent to execute arbitrary KQL queries against the Azure Data Explorer cluster.


How can this vulnerability impact me? :

The vulnerability can have a significant impact as it allows an attacker to execute arbitrary KQL queries on the Azure Data Explorer cluster. According to the CVSS v3.1 score of 8.3, it has high confidentiality and integrity impacts, and a low attack complexity. This means an attacker with limited privileges can potentially access, modify, or disrupt sensitive data within the database, leading to data breaches, unauthorized data manipulation, or denial of service.


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, upgrade Azure Data Explorer MCP Server to a version later than 0.1.1 where the issue is patched (commit 0abe0ee55279e111281076393e5e966335fffd30).

Avoid using vulnerable versions that interpolate the `table_name` parameter directly into KQL queries without validation or sanitization.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart