CVE-2026-14471 PUBLISHED

Authenticated SQL injection in the metrics-service retention policy subsystem of mcp-gateway-registry

Assigner: AMZN
Reserved: 02.07.2026 Published: 06.07.2026 Updated: 07.07.2026

Improper Neutralization of Special Elements in the metrics-service retention policy management component in Amazon mcp-gateway-registry before 1.0.13 might allow an authenticated remote user to execute arbitrary SQL queries via a crafted table_name value that is interpolated into SQL statements in identifier position.

To remediate this issue, users should upgrade to version 1.0.13 or later.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
CVSS Score: 8.6

Product Status

Vendor AWS
Product MCP Gateway & Registry
Versions Default: unaffected
  • affected from 1.0.3 to 1.0.12 (incl.)

References

Problem Types

  • CWE-89 Improper neutralization of special elements used in an SQL command ('SQL injection') CWE

Impacts

  • CAPEC-66 SQL Injection