Best MCP Servers for Databases: PostgreSQL, MySQL, MongoDB, Snowflake Compared

Database MCP servers let AI assistants query your data, explore schemas, and run SQL through natural language. Instead of switching between your editor and a database client, you describe what you need and the agent handles the rest: "show me the slowest queries this week" becomes a real query against your real data.

The use cases go beyond convenience. Schema exploration that used to require manual \d+ commands happens automatically. Data analysis that needed a notebook can happen in a conversation. Migration scripts get validated against actual table structures.

Every major database now has at least one MCP server, but the quality gap is enormous: one of the most-downloaded servers ships with an unpatched SQL injection vulnerability. This guide covers what works, what to avoid, and exact config examples for Claude Desktop and Claude Code.

Quick Comparison

PostgreSQL: Three Options, One to Avoid

The Deprecated Reference Server (Do Not Use)

Anthropic's @modelcontextprotocol/server-postgres was the first database MCP server most developers tried. It is now deprecated, archived, and contains an unpatched SQL injection vulnerability on npm.

The flaw: the server wraps queries in a read-only transaction, but client.query accepts semicolons as statement delimiters. An attacker -- or a manipulated LLM -- can inject COMMIT; DROP SCHEMA public CASCADE; to escape the transaction and execute arbitrary SQL.

The vulnerability was reported in November 2024, a working patch was submitted to Anthropic in April 2025, and Anthropic archived the repo in May 2025 -- but never patched the npm package. It still gets 20,000+ weekly downloads. If you see it in your config, replace it.

Patched fork: Zed Industries published @zeddotdev/postgres-context-server (v0.1.4+) with prepared statements and per-call connection recycling.

Postgres MCP Pro (Recommended)

Postgres MCP Pro from CrystalDBA is the production-grade replacement. Beyond query execution, it provides index tuning (tests thousands of combinations against your workload), health checks (buffer cache, vacuum status, replication lag), EXPLAIN plans with hypothetical index simulation, and two access modes: unrestricted or restricted (read-only with resource limits).

{
  "mcpServers": {
    "postgres": {
      "command": "uvx",
      "args": ["postgres-mcp", "--access-mode=restricted"],
      "env": {
        "DATABASE_URI": "postgresql://mcp_reader:password@host:5432/mydb"
      }
    }
  }
}

Neon and Supabase (Managed Postgres)

Neon MCP stands out for migration safety. prepare_database_migration creates an instant copy-on-write branch from production; the migration runs there first. After verification, complete_database_migration merges it back. Zero-install remote server with OAuth:

{ "mcpServers": { "neon": { "url": "https://mcp.neon.tech/mcp" } } }

Supabase MCP goes beyond SQL with eight tool groups: database, Edge Functions, storage, branching, debugging, development, knowledge base, and account management. Append ?read_only=true&project_ref=your-ref to the URL for scoped, read-only access:

{ "mcpServers": { "supabase": { "url": "https://mcp.supabase.com/mcp?read_only=true" } } }

MongoDB MCP Server

The official MongoDB MCP server covers self-hosted MongoDB and Atlas clusters, shipping read-only by default. Capabilities include query execution and aggregation pipelines, schema inspection and index management, Atlas cluster management and Performance Advisor integration, automatic embedding generation for vector search via Voyage AI, and local cluster creation with mongodb-atlas-local.

{
  "mcpServers": {
    "mongodb": {
      "command": "npx",
      "args": ["-y", "mongodb-mcp-server@latest", "--readOnly"],
      "env": {
        "MDB_MCP_CONNECTION_STRING": "mongodb+srv://user:pass@cluster.mongodb.net/mydb"
      }
    }
  }
}

For Atlas management, swap the connection string for API credentials: MDB_MCP_API_CLIENT_ID and MDB_MCP_API_CLIENT_SECRET.

Snowflake MCP Server

The Snowflake MCP server from Snowflake Labs integrates Cortex AI directly: Cortex Search (RAG over unstructured data), Cortex Analyst (semantic models for structured data), Cortex Agent (orchestration), plus object management and SQL execution.

Its security model is the strongest in this comparison. A YAML config controls exactly which SQL statement types are allowed (Select: True, Insert: False, etc.), and the server delegates to Snowflake's native RBAC for everything else.

{
  "mcpServers": {
    "snowflake": {
      "command": "uvx",
      "args": ["snowflake-labs-mcp", "--service-config-file", "config.yaml"],
      "env": {
        "SNOWFLAKE_ACCOUNT": "your-account",
        "SNOWFLAKE_USER": "your-user",
        "SNOWFLAKE_PASSWORD": "your-password",
        "SNOWFLAKE_ROLE": "ANALYST_ROLE",
        "SNOWFLAKE_WAREHOUSE": "COMPUTE_WH"
      }
    }
  }
}

MySQL MCP Servers

No official server from Oracle. The most established community option is @benborla29/mcp-server-mysql (read-only by default, SSH tunnel support):

{
  "mcpServers": {
    "mysql": {
      "command": "npx",
      "args": ["-y", "@benborla29/mcp-server-mysql"],
      "env": {
        "MYSQL_HOST": "127.0.0.1",
        "MYSQL_PORT": "3306",
        "MYSQL_USER": "mcp_reader",
        "MYSQL_PASS": "password",
        "MYSQL_DB": "mydb"
      }
    }
  }
}

Alternatives: @berthojoris/mcp-mysql-server (read/write), @liangshanli/mcp-server-mysql (DDL with operation logs). Since none are vendor-maintained, audit the source before connecting production data.

SQLite and dbt

SQLite: Anthropic's @modelcontextprotocol/server-sqlite remains maintained (unlike the Postgres sibling). Point it at a file:

{
  "mcpServers": {
    "sqlite": {
      "command": "npx",
      "args": ["-y", "@modelcontextprotocol/server-sqlite", "/path/to/db.sqlite"]
    }
  }
}

No network, no auth, no permissions to configure. Ideal for prototyping, exploratory analysis on CSV-to-SQLite exports, and teaching agents SQL patterns before connecting them to production databases.

dbt: The dbt MCP server does not connect to databases directly. It exposes your dbt project's models, metrics, lineage, and freshness metadata. When data is needed, queries go through the dbt Semantic Layer -- ensuring governed, consistent results regardless of which warehouse sits underneath.

Two deployment modes: local via uvx dbt-mcp (requires a local dbt project) or remote via dbt Cloud. Best paired alongside a database MCP for teams that need both raw access and governed metrics.

Security: What Can Go Wrong

SQL Injection via Prompt Injection

The deprecated Postgres server proved this is not theoretical. If an LLM processes untrusted input (user messages, web content, other tool outputs) and forwards it to a database MCP, injected SQL can execute. The attack surface is wider than traditional SQL injection because the input does not come from a form field -- it comes from the model's context window, which may contain adversarial content from any source the agent has read.

Mitigations: use servers that parameterize queries (Postgres MCP Pro, Zed fork), always enable read-only mode, and use statement allowlists where available (Snowflake's YAML config is the gold standard here).

Data Exfiltration

An agent with SELECT access and internet access (via other MCP tools) can read sensitive data and send it elsewhere. This "confused deputy" attack is hard to detect because each individual tool call looks legitimate. Limit the agent's table access to non-sensitive data, avoid combining database MCP with HTTP/email tools on the same agent, and monitor query logs for unexpected SELECT patterns on sensitive tables.

Overprivileged Connections

The single most common mistake. Always create a dedicated read-only database user:

-- PostgreSQL
CREATE ROLE mcp_reader WITH LOGIN PASSWORD 'strong_password';
GRANT CONNECT ON DATABASE mydb TO mcp_reader;
GRANT USAGE ON SCHEMA public TO mcp_reader;
GRANT SELECT ON ALL TABLES IN SCHEMA public TO mcp_reader;

-- MySQL
CREATE USER 'mcp_reader'@'%' IDENTIFIED BY 'strong_password';
GRANT SELECT ON mydb.* TO 'mcp_reader'@'%';

// MongoDB
db.createUser({
  user: "mcp_reader",
  pwd: "strong_password",
  roles: [{ role: "read", db: "mydb" }]
});

Which Server Should You Use?

Self-hosted PostgreSQL -- Postgres MCP Pro. The only production-grade option with health monitoring, index tuning, and proper access controls. Never use the deprecated reference server.

Managed Postgres -- Neon MCP for branching-based migration safety. Supabase MCP if you need the agent to manage Edge Functions and storage alongside SQL.

MongoDB -- The official server. Well-maintained, read-only by default, covers self-hosted and Atlas.

Snowflake -- Snowflake Labs MCP. SQL allowlisting and RBAC integration make it the most security-conscious option here.

MySQL -- @benborla29/mcp-server-mysql is the most established community option. Audit it and use a read-only user.

SQLite -- The reference server works. No concerns for local files.

Data teams using dbt -- Add the dbt MCP alongside your database server. Agents get lineage context and governed metrics, producing more reliable queries than raw SQL alone.

Regardless of which server you pick, the same rule applies everywhere: create a dedicated read-only database user, grant the minimum permissions needed, and never connect production admin credentials to an MCP server.

For more on securing MCP servers generally, see MCP server security best practices.