You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
MCP is drowning in builders but starving for users. PostgreSQL has millions of users but few new tools being built.
8
-
The intersection—Postgres MCP server—is where both problems get solved. When Anthropic launched MCP in November 2024,
9
-
Postgres was among the original six reference implementations. A year later, with MCP now joined by OpenAI, Google, and
10
-
Microsoft, the question is: which Postgres MCP server should you choose?
7
+
MCP is drowning in builders but starving for users. PostgreSQL has millions of users but few new tools being built.
8
+
The intersection—Postgres MCP servers—is where both problems get solved. When Anthropic launched MCP in November 2024,
9
+
Postgres was among the original six reference implementations. A year later, with MCP now adopted by OpenAI, Google, and
10
+
Microsoft, let's take a look at the current landscape.
11
11
12
-
## The Contenders
12
+
## SQL Injection Upgraded
13
13
14
-
If you are looking for a Postgres MCP server, you are likely searching by GitHub star count. These four have the most (as of Dec 20, 2025):
14
+
Remember SQL injection? Untrusted user input mixed with SQL commands, executed by the database. Prompt injection is the same problem, one layer up: untrusted user input mixed with AI instructions, executed by the LLM.
15
15
16
-
-**[MCP Toolbox for Databases](https://github.com/googleapis/genai-toolbox)** (11.8k stars) — Google's MCP Toolbox supporting multiple databases with OAuth, connection pooling, and OpenTelemetry observability.
17
-
-**[Supabase MCP](https://github.com/supabase-community/supabase-mcp)** (2.3k stars) — Built for the Supabase ecosystem, offering deep platform integration including edge functions, migrations, and branching.
18
-
-**[DBHub](https://github.com/bytebase/dbhub)** (1.7k stars) — Bytebase's minimal, token-efficient server supporting multiple databases including Postgres.
19
-
-**[Postgres MCP Pro](https://github.com/crystaldba/postgres-mcp)** (1.6k stars) — Crystal DBA's performance-focused server with index tuning, query plan analysis, and database health monitoring.
16
+
In July 2025, a [Supabase MCP vulnerability](https://www.generalanalysis.com/blog/supabase-mcp-blog) proved this isn't theoretical. The attack: embed SQL commands in a support ticket, let an AI assistant read it, watch it execute with full database access and exfiltrate data.
20
17
21
-
| Server | Maintainer | License | Language |
22
-
|--------|------------|---------|----------|
23
-
| MCP Toolbox for Databases | Google | Apache-2.0 | Go |
Simon Willison called it the ["lethal trifecta"](https://simonwillison.net/2025/Jun/16/the-lethal-trifecta/)—access to private data + exposure to untrusted content + ability to externally communicate in one tool. Supabase added read-only defaults and protective prompting, then admitted **"prompt injection is generally an unsolved problem."** The [HN thread](https://news.ycombinator.com/item?id=44502318) consensus: asking LLMs nicely isn't a security boundary.
27
19
20
+
Every Postgres MCP server ships with unfixable vulnerabilities. The question is what limits the damage:
28
21
29
-
Let's dig into each from four dimensions:
30
-
31
-
1.**Installation** — How easy is it to get started?
32
-
1.**Tools** — What capabilities does the server expose?
33
-
1.**Token Efficiency** — How much context does the server consume?
34
-
1.**Auth & Security** — How does it handle authentication and security?
0 commit comments