—
PYSEC-2026-1315
Apache Doris-MCP-Server: Improper Access Control results in bypassing a "read-only" mode
Details
An attacker with a valid read-only account can bypass Doris MCP Server’s read-only mode due to improper access control, allowing modifications that should have been prevented by read-only restrictions.
Impact:
Bypasses read-only mode; attackers with read-only access may perform unauthorized modifications.
Recommended action for operators: Upgrade to version 0.6.0 as soon as possible (this release contains the fix).
Are you affected?
Enter the version of the package you're using.
Affected packages
PyPI / doris-mcp-server
Introduced in:
0 Fixed in: 0.6.0 Fix
pip install --upgrade 'doris-mcp-server>=0.6.0' References
- https://nvd.nist.gov/vuln/detail/CVE-2025-58337 [ADVISORY]
- https://github.com/apache/doris-mcp-server/commit/5923cc1c8973069a6d54eca1948a10488cbf409e [WEB]
- https://github.com/apache/doris-mcp-server [PACKAGE]
- https://lists.apache.org/thread/6tswlphj0pqn9zf25594r3c1vzvfj40h [WEB]
- https://security.snyk.io/vuln/SNYK-PYTHON-DORISMCPSERVER-13835132 [WEB]
- http://www.openwall.com/lists/oss-security/2025/11/04/5 [WEB]
- https://pypi.org/project/doris-mcp-server [PACKAGE]
- https://github.com/advisories/GHSA-m35w-xx8c-6xc7 [ADVISORY]