By Tianzhen Wang & Yanbei Pang
Recently, the disclosure of a security vulnerability related to Model Context Protocol (MCP) by the security firm General Analysis has caused a significant stir in the tech community.
Following this, the CEO of Supabase warned developers: "An insecure MCP could allow attackers to steal your Supabase data."
Reference: https://www.generalanalysis.com/blog/supabase-mcp-blog
Analyzing the typical attack scenario published by General Analysis, the process unfolds as follows: an attacker implants malicious instructions into a database through various forms (such as a support ticket). When a developer later uses an AI tool (MCP) to manage this data, the AI recognizes the data as a command. As a result, sensitive data that should not have been updated is inserted into a data table controlled by the attacker, achieving their objective. In simple terms, attackers use implanted malicious instructions to trick an AI tool into writing sensitive data into a database they control.
Below is a sequence diagram of the attack:
This "Trojan Horse" attack vector reveals a stark new reality: in the age of AI, traditional database security models are no longer sufficient.
• AI copilots are often granted excessive permissions, such as service_role or even root access.
• They typically lack fine-grained access control mechanisms.
• There's often no effective separation between development and production environments.
• No built-in defense against malicious SQL injection hidden within user data.
• Lack of comprehensive audit trails and activity tracking.
• Completely defenseless against prompt injection attacks that leverage data context.
• Database credentials are often hardcoded or directly exposed to the AI tool.
• Centralized, secure credential management is frequently an afterthought.
• A single credential leak can have catastrophic consequences.
To address these critical gaps, Alibaba Cloud's Data Management (DMS) has introduced its MCP Server solution. It's engineered from the ground up for secure database access in the age of AI, not only mitigating the risks of traditional tools but also establishing a new paradigm for secure, intelligent, and efficient data interaction.
Facing these modern challenges, the Alibaba Cloud DMS MCP Server provides a defense-in-depth solution:
1. Secure Credential Hosting: All database credentials are centrally managed and hosted by DMS, with support for encrypted storage and automated rotation. The AI copilot never needs direct access to raw credentials, eliminating the risk of leaks at the source.
2. Fine-Grained Access Control: DMS provides five granular levels of control: instance, database, table, column, and row. This allows you to grant AI applications permissions based on the principle of least privilege, with support for temporary access and automatic permission revocation.
3. Intelligent SQL Security Engine: A powerful, built-in SQL security engine, fortified with multiple security rule libraries and support for custom policies, analyzes every database request in real-time. It actively identifies and blocks high-risk SQL commands before they can execute.
4. Comprehensive Audit Trails: Every database operation performed via the DMS MCP Server is meticulously logged. This enables full operation playback and forensic analysis, ensuring you can trace any issue and meet strict compliance and auditing requirements.
Let's revisit the attack scenario from the beginning and see how the DMS MCP Server would have neutralized the threat.
▶ The Attack Scenario
An attacker submits a support ticket containing malicious instructions, hoping the AI assistant will ingest this data into its context and execute a dangerous SQL command.
▶ The DMS MCP Server Defense Mechanism
The DMS MCP Server's NL2SQL (Natural Language to SQL) engine first parses the user's intent. The malicious string, hidden in data, is not part of the user's direct command and thus is not recognized as a valid business query. The system refuses to generate or execute any SQL based on it.
Even if a malicious query were somehow generated, the AI assistant operates with the bare-minimum privileges required for its job. Any attempt to access unauthorized tables or schemas would be immediately blocked by the access control system.
As a final line of defense, the SQL security engine inspects the query before it reaches the database. It identifies the anomalous pattern (e.g., attempting to insert sensitive data into an unrelated table), automatically blocks the query, and triggers a security alert to notify administrators.
Regardless of whether the query succeeded or was blocked, DMS records a complete log of the entire event. This provides an immutable audit trail for rapid incident response and post-mortem analysis.
Follow these principles to construct a robust AI data security framework using the DMS MCP Server:
• Production: Grant read-only permissions by default.
• Development/Testing: Read-write permissions may be granted, but always adhere to the principle of least privilege.
• Create unique, isolated access roles for each AI application.
• Grant access only to the specific tables and columns necessary for the application's function.
• Regularly audit and revoke permissions that are no longer needed.
• Enable built-in SQL injection detection rules.
• Configure rules to identify and protect sensitive data patterns.
• Set thresholds for alerting on abnormal behavior or query volumes.
• Regularly review SQL execution logs for anomalies.
• Monitor for unusual access patterns.
• Establish a formal incident response plan.
The MCP security flaw has sounded a clear alarm for the industry. The Alibaba Cloud DMS MCP Server is not just a reaction to these incidents but a proactive strategy for the future.
It enables enterprises to:
• Embrace AI with confidence, free from the fear of data breaches.
• Boost developer productivity by making AI a safe and reliable tool.
• Meet compliance requirements with ease, thanks to robust auditing.
• Reduce operational costs by unifying management across multi-cloud and multi-database environments.
The launch of the DMS MCP Server signals a new phase in database access—a phase where security isn't a trade-off for efficiency, but rather the foundation of it.
In today's landscape, building a secure data foundation for your AI applications is non-negotiable. On the path to ensuring data security, a proactive, defense-in-depth strategy is your best line of defense.
[Infographic] Highlights | Database New Features in August 2025
Alibaba Cloud AnalyticDB: The AI-Powered Data Lakehouse for a Unified AI+BI Experience
Alibaba Cloud Native Community - July 4, 2025
Alibaba Cloud Native Community - April 9, 2025
ApsaraDB - July 29, 2022
Alibaba Cloud Native Community - May 23, 2025
Alibaba Cloud Native Community - October 23, 2025
Alibaba Cloud Native Community - May 15, 2025
Security Center
A unified security management system that identifies, analyzes, and notifies you of security threats in real time
Learn More
AI Acceleration Solution
Accelerate AI-driven business and AI model training and inference with Alibaba Cloud GPU technology
Learn More
Database Security Solutions
Protect, backup, and restore your data assets on the cloud with Alibaba Cloud database services.
Learn More
Tair
Tair is a Redis-compatible in-memory database service that provides a variety of data structures and enterprise-level capabilities.
Learn MoreMore Posts by ApsaraDB
