Erupt SQL Injection Vulnerability in MCP Tool Interface

Vulnerability

A SQL injection vulnerability has been identified in Erupt versions through 1.13.3, specifically within the MCP Tool Interface component. The issue arises in the EruptDataQuery function, where user-controlled Hibernate Query Language (HQL) input is executed without any validation or sanitization. This flaw allows authenticated attackers with OpenAPI credentials to execute arbitrary database queries, potentially leading to unauthorized data access or manipulation.

Impact

Exploitation of this vulnerability allows for arbitrary execution of HQL queries, which could be used to read or modify any accessible database entities. This could result in unauthorized access to sensitive data or manipulation of database records.

Added: Mar 23, 2026, 5:21 PM

Updated: Mar 23, 2026, 5:21 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

6.2

remediation

0.0

relevance

4.6

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

6.2

remediation

0.0

relevance

4.6

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Erupt SQL Injection Vulnerability in MCP Tool Interface

Vulnerability

Impact

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating