C

CData MCP Server for Workday

Generic CData JDBC-based MCP server exposing Workday data via SQL queries through a commercial JDBC driver

Overall Score60/100

Score Breakdown

Authentication & Identity1 finding0/25
Tool Schema Quality2 findings16/25
Permission Granularity20/20
LLM Safety1 finding11/15
Data Exposure1 finding8/10
Maintenance & Trust5/5

Server Info

Package
com.cdata:CDataMCP
Registry
maven
Maintainer
CData
Category
HR & People
Tags
hrpayrollenterprise
Last Scanned
7 Apr 2026

Findings

5 issues

Authentication & Identity

HIGHNo per-request auth - requires instance-per-user

Stdio-only transport. Authentication is configured via a .prp properties file containing JDBC connection string (JdbcUrl), driver class, and driver path. The JDBC URL embeds Workday OAuth credentials. No env vars are used directly; all config is in the properties file. HTTP transport code is comment... For multi-tenant deployment, the platform must spawn a separate server instance per user.

Remediation

Add HTTP/SSE transport to accept per-request Authorization headers, or implement the MCP OAuth spec.

Tool Schema Quality

MEDIUMOnly 0 of 3 schemas have parameter constraints

Most schemas lack maxLength, enum, or pattern constraints on string parameters.

Remediation

Add constraints to string parameters, especially on write operations.

CRITICALDangerous execution surface: workday_run_query accepts arbitrary SQL string with no validation or sanitization

Tool allows raw code/query execution which could be exploited via prompt injection.

Remediation

Use parameterized queries or validated command sets.

LLM Safety

HIGHTool descriptions contain instructional language

Descriptions include directives that could influence LLM behavior beyond tool selection.

Remediation

Remove instructional language. Descriptions should be purely factual.

Data Exposure

LOWNo field selection on responses

Responses return full records rather than projected fields.

Remediation

Implement field selection to return only relevant fields.

Tools

3 total
NameDescriptionRisk
workday_get_tablesRetrieves a list of objects, entities, collections, etc. (as tables) available in the data source. Use the `workday_get_columns` tool to list available columns on a table. Both `catalog` and `schema` are optional parameters. The output of the tool will be returned in CSV format, with the first line containing column headers.read
workday_get_columnsRetrieves a list of fields, dimensions, or measures (as columns) for an object, entity or collection (table). Use the `workday_get_tables` tool to get a list of available tables. The output of the tool will be returned in CSV format, with the first line containing column headers.read
workday_run_queryExecute a SQL SELECT statement.read

Deploy CData MCP Server for Workday securely

CompleteFlow adds per-user authentication, permission scoping, and audit logging to any MCP server out of the box.

Deploy on CompleteFlow