GHSA-vphc-468g-8rfp: Azure Data Explorer MCP Server: KQL Injection in multiple tools allows MCP client to execute arbitrary Kusto queries
highvulnerability
security
Summary
The Azure Data Explorer MCP Server (adx-mcp-server) has KQL injection vulnerabilities (a type of code injection where untrusted input is inserted into database queries) in three tools that inspect database tables. Because the `table_name` parameter is directly inserted into Kusto queries (Azure's query language) using f-strings without checking or cleaning the input, an attacker or a prompt-injected AI agent can execute arbitrary database commands, including reading sensitive data or deleting tables.
Vulnerability Details
EPSS (30-day exploit probability)
EPSS: 0.0%
Disclosure Date
March 27, 2026
Classification
Attack Type
Prompt Injection
Attack SophisticationTrivial
Impact (CIA+S)
confidentialityintegrity
Taxonomy References
MITRE ATLAS (AI/ML Threat Technique)
Affected Vendors
Microsoft
Affected Packages
adx-mcp-server@<= 1.1.0
Related Issues
Original source: https://github.com/advisories/GHSA-vphc-468g-8rfp
First tracked: March 28, 2026 at 02:00 AM
Classified by LLM (prompt v3) · confidence: 95%