🟠 High  |  Source: AWS Security Bulletins


A SQL injection vulnerability (CVE-2026-14471) has been identified in AWS’s open-source mcp-gateway-registry, specifically in the metrics-service retention policy component. An authenticated attacker can supply a malicious table_name value to execute arbitrary SQL against the metrics database, potentially exposing API keys and allowing data manipulation or deletion. Versions 1.0.3 through 1.0.12 are affected.

Security Architect’s Take: Update mcp-gateway-registry to a version beyond 1.0.12 immediately, and in the interim audit who has authenticated access to the metrics-service retention policy endpoint — treat any stored API keys as potentially compromised and rotate them as a precaution.

Original advisory: CVE-2026-14471 - Authenticated SQL injection in the metrics-service retention policy subsystem of mcp-gateway-registry