CVE-2026-33980 is a KQL injection vulnerability classified under CWE-943 (Improper Neutralization of Special Elements in Data Query Logic) affecting the pab1it0 adx-mcp-server, a Model Context Protocol server that facilitates AI assistants in querying Azure Data Explorer (ADX) databases. The vulnerability exists in versions up to and including 1.1.0, where the 'table_name' parameter is directly embedded into KQL queries using Python f-strings without any sanitization or validation. This insecure coding practice allows an attacker or a prompt-injected AI agent to craft malicious input that alters the intended query logic, enabling arbitrary KQL query execution. The affected MCP tool handlers are get_table_schema, sample_table_data, and get_table_details, all of which interact with database metadata and data retrieval functions. Exploiting this flaw can lead to unauthorized data disclosure, data integrity compromise, and potential data manipulation within the Azure Data Explorer environment. The vulnerability requires only network access and low privileges, with no user interaction needed, making it relatively easy to exploit remotely. The issue was addressed in a code commit (0abe0ee55279e111281076393e5e966335fffd30) that introduced proper input validation and neutralization of special characters in the 'table_name' parameter. No known exploits have been reported in the wild as of the publication date. The CVSS v3.1 base score is 8.3 (High), reflecting the critical impact on confidentiality and integrity with low attack complexity and no user interaction required.

The primary impact of CVE-2026-33980 is unauthorized access and manipulation of data within Azure Data Explorer clusters. Attackers exploiting this vulnerability can execute arbitrary KQL queries, potentially extracting sensitive information, modifying data, or disrupting data integrity. This can lead to data breaches, exposure of confidential business intelligence, and undermining trust in data accuracy. Since the vulnerability affects AI assistant interfaces, it also raises concerns about automated systems being manipulated to perform malicious queries. The availability impact is limited but could occur if malicious queries degrade cluster performance or cause resource exhaustion. Organizations relying on Azure Data Explorer for critical analytics and decision-making may face operational and reputational damage. The ease of exploitation combined with the high impact on confidentiality and integrity makes this a significant threat to any entity using the affected adx-mcp-server versions.

1. Immediately upgrade the pab1it0 adx-mcp-server to version 1.1.1 or later where the vulnerability is patched. 2. Implement strict input validation and sanitization on all user-supplied parameters, especially 'table_name', to neutralize special characters and prevent query injection. 3. Employ least privilege principles for accounts accessing the MCP server to limit potential damage from exploitation. 4. Monitor and audit KQL query logs for unusual or unauthorized query patterns indicative of injection attempts. 5. Use network segmentation and firewall rules to restrict access to the MCP server to trusted sources only. 6. Consider deploying Web Application Firewalls (WAFs) or query filtering mechanisms that can detect and block suspicious KQL injection payloads. 7. Educate AI assistant developers and operators about the risks of prompt injection and enforce secure coding practices when integrating AI with data query interfaces. 8. Regularly review and update security policies for AI-driven data access to include threat modeling for injection attacks.