Couchbase — agentic threat model
The Couchbase MCP server exposes high-value database clusters to agentic tool-calling, introducing significant risk of unauthorized data manipulation or exfiltration if the orchestrating agent is compromised. Because it acts as a direct bridge to database storage engines, its security posture is heavily dependent on the underlying cluster credential permissions.
OWASP AIVSS score rationale
| Autonomy of Action | 0.60 | |
| Goal-Driven Planning | 0.30 | |
| Self-Modification | 0.10 | |
| Dynamic Tool Use | 0.80 | |
| Persistent Memory | 0.20 | |
| Contextual Awareness | 0.40 | |
| Dynamic Identity | 0.70 | |
| Multi-Agent Interactions | 0.20 | |
| Non-Determinism | 0.50 | |
| Opacity & Reflexivity | 0.40 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Not certain from the listing — The Couchbase MCP server is model-agnostic and does not include a built-in foundation model; model-level threats like adversarial prompt injection depend entirely on the external orchestrating LLM.
Directly exposes Couchbase bucket data via N1QL/SQL++ and key-value operations. This creates a high risk of data exfiltration, unauthorized modification, or database poisoning if malicious inputs bypass the orchestrating agent's sanitization.
Exposes powerful database manipulation tools to agent frameworks. Insecure tool integration or lack of strict input validation on N1QL queries could allow SQL-injection-style attacks or unintended bulk document deletions.
Requires hosting within an environment that has network access to both the LLM client and the Couchbase cluster. Compromise of this layer could expose sensitive cluster credentials used for authentication.
Not certain from the listing — The description does not specify built-in logging, query auditing, or guardrails to monitor and block anomalous database operations executed by the MCP server.
Relies on cluster credential authentication to enforce access controls. Security compliance depends on applying the principle of least privilege to these credentials, limiting the agent's scope to specific buckets and read/write operations.
As an MCP server, it is designed to be consumed by other agents. This introduces cascading risks if a compromised upstream agent or malicious multi-agent workflow gains access to the database tools.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).