Summarizer

MCP Security Concerns

Skepticism about MCP database access opposing least privilege principles, risks of unfettered LLM access, hallucination-driven SQL injection, and need for guardrails and monitoring

← Back to Databases in 2025: A Year in Review

Skepticism regarding MCP security centers on the fundamental conflict between maximizing model context and the principle of least privilege, with critics warning that exposing complex schemas invites a new era of "hallucination-driven" SQL injection. While some argue that granting an agent write access in production is inherently reckless, others suggest mitigating these risks through monitoring gateways, isolated database snapshots, or restricting access to read-only views. Ultimately, these discussions highlight a tense trade-off between the "move fast and break things" ethos of AI development and the traditional security principles necessary to prevent destructive autonomous actions.

6 comments tagged with this topic

View on HN · Topics
Pavlo is right to be skeptical about MCP security. The entire philosophy of MCP seems to be about maximizing context availability for the model, which stands in direct opposition to the principle of Least Privilege. When you expose a database via a protocol designed for 'context', you aren't just exposing data; you're exposing the schema's complexity to an entity that handles ambiguity poorly. It feels like we're just reinventing SQL injection, but this time the injection comes from the system's own hallucinations rather than a malicious user.
View on HN · Topics
Totally agree, unfettered access to databases are dangerous There are ways to reduce injection risk since LLMs are stateless and thus you can monitor the origination and the trustworthiness of the context that enters the LLM and then decide if MCB actions that affect state will be dangerous or not We've implementeda mechanism like this based on Simon Willison's lethal trifecta framework as an MCP gateway monitoring what enters context. LMK if you have any feedback on this approach to MCP security. This is not as elegant as the approach that Pavlo talks about in the post, but nonetheless, we believe this is a good band-aid solution for the time bein,g as the technology matures https://github.com/Edison-Watch/open-edison
View on HN · Topics
> Totally agree, unfettered access to databases are dangerous Any decent MVCC database should be able to provide an MCP access to a mutable yet isolated snapshot of the DB though, and it doesn't strike me as crazy to let the agent play with that .
View on HN · Topics
i dont know anyone with a brain that is using a DB mcp with write permissions in prod. i mean trying to lay that blame on a protocol for doing something as nuts as that seems unfair.
View on HN · Topics
Was the trade-off so exciting that we abandoned our own principles? Or, are we lemmings? Edit: My apologies for the cynical take. I like to think that this is just the move fast break stuff ethos coming about.
View on HN · Topics
we had to restrict ours to views only because it kept trying to run updates. still breaks sometimes when it hallucinates column names but at least it can't do anything destructive