Best MCP Servers for Databases in 2026 (Ranked + Setup)
The best database MCP for an AI agent is Postgres MCP Pro for self-hosted Postgres, the Supabase MCP if your data is on Supabase, and SQLite for local prototyping. Anthropic's reference @modelcontextprotocol/server-postgres was archived on 2025-07-10 and has a known read-only bypass — do not install it for new work. Below: six ranked picks, the decision tree, install commands, and the gotchas that bite in production.
Why a database MCP at all?
A database MCP turns an AI assistant into a junior data engineer that can actually run a query instead of guessing what the schema looks like. The agent introspects tables, drafts SQL against the real columns, and returns rows you can verify in the same conversation. Without it, the agent invents column names, hallucinates relations, and produces queries that compile but return wrong answers.
The bar for "safe enough for production introspection" is high. The MCP needs to surface schema, run SELECT-class queries, respect statement timeouts, and stop short of mutations unless you opt in. The six MCPs below clear that bar — ranked by impact for a generalist coding agent and ordered so you can stop reading once the rest of the list is irrelevant to your stack.
Setup time
3–10 min per server
Risk profile
Read-only by default; writes are opt-in
Cost
Open source; cloud DB charges still apply
The archived reference Postgres MCP is unsafe for new installs
@modelcontextprotocol/server-postgres on 2025-07-10 and moved it to github.com/modelcontextprotocol/servers-archived. Datadog Security Labs has documented a SQL-injection class issue: multi-statement payloads like COMMIT; DROP TABLE … bypass the server-side read-only restriction. The package still resolves on npm, but the upstream will not patch this or any future vulnerability. Use Postgres MCP Pro for new work and grant the connecting Postgres role SELECT only as defence-in-depth.Decision tree — which database MCP for which job
Pick by stack first, by workload second. The honest answer for most readers will be one of the first three rows.
| If you… | Install | Why |
|---|---|---|
| You are on Supabase | Supabase MCP | Project-aware, RLS-aware, OAuth from the dashboard. |
| You run self-hosted Postgres, RDS, Neon, or Aiven | Postgres MCP Pro | Active maintenance, EXPLAIN plans, index advisor, safe-mode writes. |
| You want a single-file local DB for prototyping | SQLite MCP | No server, no network, supports writes — fastest path to a working agent. |
| You query a document store | MongoDB MCP | Native MongoDB query operators; understands collections and indexes. |
| You run analytics on a warehouse | BigQuery MCP | Dataset and table scoping, dry-run cost estimates before execution. |
| You want an in-process analytics engine | DuckDB MCP | OLAP queries on local Parquet/CSV; pairs well with a data-exploration agent. |
| You see @modelcontextprotocol/server-postgres anywhere in your config | Migrate off it | Archived 2025-07-10 with a Datadog-documented read-only bypass — replace with Postgres MCP Pro. |
The 6 database MCPs worth installing
Ordered by the breadth of agent workflows they unlock. Each closes a specific gap — install in this order and stop wherever the rest is not relevant to your stack.
Postgres MCP Pro
5 min setupThe official Postgres MCP is read-only and intentionally minimal. Postgres MCP Pro fills the gap when you want index advice, performance analysis, or write capability under controlled circumstances.
uvx postgres-mcp
Supabase
5 min setupSupabase is a popular backend platform. This MCP lets AI models interact with every layer of a Supabase project without switching interfaces.
npx @supabase/mcp-server-supabase@latest
SQLite
2 min setupSQLite is the simplest persistent storage option for local AI workflows. This MCP enables full database interaction without any server setup.
uvx mcp-server-sqlite --db-path /path/to/db.sqlite
MongoDB
5 min setupMongoDB is the most-installed document store. Wiring it into an agent unblocks schema exploration, ad-hoc reporting, and the "what is in this collection again" workflow without breaking out a separate client.
npx -y mongodb-mcp-server --connectionString="mongodb+srv://user:pass@cluster.mongodb.net"
BigQuery
10 min setupBigQuery is the default warehouse for many teams. An MCP turns "open the BigQuery console" into a conversational query, with the dry-run cost estimate before the agent burns a credit.
uvx mcp-server-bigquery
DuckDB
2 min setupDuckDB is the fastest way to put an analytical query engine on a developer machine. As an MCP, it removes the "spin up a warehouse to look at a CSV" workflow entirely.
uvx mcp-server-motherduck
Always pair MCP-level flags with database-level grants
GRANT SELECT ON ALL TABLES IN SCHEMA public TO ai_agent) and point the MCP at that role. If the MCP-level flag has a bug, the role grant catches it; if the role grant is wrong, the MCP-level flag catches it. Defence in depth.Quick comparison
| MCP | Best for | Writes? | Auth |
|---|---|---|---|
| Postgres MCP Pro | Self-hosted Postgres, RDS, Neon | Yes (safe-mode flag) | Connection string |
| Supabase | Supabase projects | Yes (token scope) | Access token / OAuth |
| SQLite | Local prototyping | Yes (default) | File path |
| MongoDB | Document stores | Configurable | Connection string |
| BigQuery | Analytics warehouse | No (read-only) | Service account |
| DuckDB | In-process analytics | Yes | File path / connection |
Common gotchas
The MCP-level read-only flag is not a security boundary
Treat it as advisory and rely on database-level role permissions as the actual guard. The archived reference Postgres MCP's read-only contract is bypassable; even maintained MCPs can have parser bugs. A GRANT SELECT role with no other privileges is the only contract you can trust.
No statement_timeout means a runaway query
An agent will happily write SELECT * FROM events. On a billion-row table that returns terabytes. Set statement_timeout on the connecting role (ALTER ROLE ai_agent SET statement_timeout = '10s') and the database kills the query before the MCP buffer fills.
Hosted Postgres needs sslmode=require
Managed providers (Supabase, Neon, RDS) reject non-SSL connections. Append ?sslmode=require to the connection string. Without it, the MCP fails with "no pg_hba.conf entry" or an SSL handshake error.
Schema introspection is the highest-value tool
Most of the agent quality improvement from a database MCP comes from list_tables + describe_table, not from running queries. If you have to skip something for a constrained environment, skip the query tool and keep introspection — the agent can then ask you to run the SQL it drafts.
One connection per agent process, no pooling
The reference servers do not pool connections. If an agent spawns parallel queries, each opens a new socket. On Supabase's direct-connection limit (60 by default) this gets noticed fast. Use a pgbouncer-style pooler in front, or pick Postgres MCP Pro which is better-behaved.
Frequently asked questions
Which database MCP should I install first?
It depends on the stack. If you are on Supabase, install the Supabase MCP — it understands row-level security and project scoping out of the box. For self-hosted Postgres, install Postgres MCP Pro (the official reference @modelcontextprotocol/server-postgres was archived on 2025-07-10 and has a documented read-only bypass — do not use it for new work). For local prototyping with persistent state, install the SQLite MCP — no server process, no network. For analytics workloads, DuckDB or BigQuery.
Is it safe to connect a database MCP to a production database?
Only with read-only credentials granted at the database level — not just at the MCP level. The MCP-level read-only flag in the archived reference Postgres server is bypassable per Datadog Security Labs (multi-statement payloads like COMMIT; DROP TABLE … escape the sandbox). Create a dedicated PostgreSQL role with GRANT SELECT only, point the MCP at that role, and treat the MCP-side flag as advisory.
Why is the reference @modelcontextprotocol/server-postgres marked archived?
Anthropic archived the modelcontextprotocol/servers repository on 2025-07-10 and moved Postgres to github.com/modelcontextprotocol/servers-archived. No more upstream commits, security patches, or bug fixes. New installs should use Postgres MCP Pro (active community maintenance, EXPLAIN/index advice, safe-mode write toggle) or the Supabase MCP if the database is on Supabase.
What is the difference between Postgres MCP Pro and Supabase MCP?
Both target Postgres, but the scope differs. Postgres MCP Pro is a general Postgres client with EXPLAIN-plan analysis, index advice, and a guarded safe-mode for writes — pick it for self-hosted Postgres or RDS/Neon. The Supabase MCP is platform-aware — it knows about projects, RLS policies, edge functions, and the dashboard surface. Pick it if your data lives in Supabase and you want auth-aware queries, not just raw SQL.
Can a database MCP write to my data?
Some can, gated behind explicit flags. Postgres MCP Pro has a safe-mode toggle that must be turned on for INSERT/UPDATE/DELETE; the SQLite MCP supports writes by default (intentional, since SQLite is file-based and typically used for prototyping). The archived reference Postgres MCP is read-only by contract but the contract is bypassable. Always pair MCP-level flags with database-level role grants.
How do I prevent the agent from running a SELECT * on a billion-row table?
Three layers, applied together: (1) configure a server-side statement_timeout on the connecting Postgres role; (2) use Postgres MCP Pro which exposes EXPLAIN plans and surfaces query cost before execution; (3) write the system prompt to require a LIMIT on exploratory queries. None of these alone is enough — the timeout is the only one the agent cannot talk its way around.
Which database MCP works best with Claude Code, Cursor, and Windsurf?
All five of the ranked MCPs work in every MCP-compatible client. The install path differs by client (claude mcp add … for Claude Code, .cursor/mcp.json for Cursor, mcp_config.json for Windsurf) but the server itself is the same. Per-client install snippets are on each MCP detail page.
Can I use a database MCP with ChatGPT?
Only via the Developer Mode connector path. ChatGPT does not list general-purpose database MCPs in the Apps directory — the directory only contains vendor-published one-click apps (Supabase has one). For Postgres MCP Pro or SQLite, add a remote MCP connector in ChatGPT Developer Mode and point it at a hosted instance of the server.
More for databases
See the full Databases category page for every ranked MCP, plus filter chips for read-only, OAuth, and self-hostable picks.
More guides
Fundamentals
What Is MCP? A Plain-English Guide to Model Context Protocol
6 min read
Setup Guide
Best MCPs for Cursor in 2026 (Ranked + Setup)
8 min read
Setup Guide
Best MCPs for Claude Desktop in 2026 (Ranked + Setup)
9 min read
Setup Guide
Best MCPs for Claude Code in 2026 (Ranked + Setup)
8 min read
Setup Guide
Best MCPs for Windsurf in 2026 (Cascade-Ready Setup)
8 min read
Setup Guide
Best MCPs for VS Code in 2026 (Agent Mode + .vscode/mcp.json)
8 min read
Strategy
MCP Registry vs Curated Directory: Which Should You Use?
5 min read
Setup Guide
Best MCPs for ChatGPT: The Apps and Connectors Worth Installing
9 min read
Tutorial
How to Add an MCP Server to ChatGPT (Developer Mode + Apps Directory)
7 min read
Security
MCP Security: What to Know Before You Install
9 min read
Role Guide
Best MCPs for Marketers in 2026 (SEO, Email, Analytics)
8 min read
Strategy
Remote vs Local MCP Servers: When to Use Each
7 min read
Fundamentals
MCP vs Function Calling: What’s the Difference?
6 min read
Comparison
MCP Directories Compared: Top MCPs vs mcp.so vs PulseMCP vs mcp.directory
8 min read
Security
MCP Prompt Injection: How Tool-Calling Agents Get Hijacked
8 min read
Security
OAuth 2.1 for MCP: What the Spec Standardised and What You Need to Know
8 min read
Security
Sandboxing MCP Servers: Containers, Least Privilege, and Process Isolation
9 min read
Security
Rotating MCP Credentials: A Practical Guide for Leaks, Expiry, and Routine Hygiene
7 min read
Security
Least-Privilege Scoping for MCPs: How to Grant the Smallest Useful Permission
7 min read
Setup Guide
Best MCP Servers for Research in 2026 (Search, Scrape, Synthesize)
9 min read
Setup Guide
Best MCP Servers for Design-to-Code in 2026 (Figma → React)
9 min read
Setup Guide
Best MCP Servers for Domains in 2026 (Registrars + DNS)
9 min read
Tutorial
How to Buy a Domain From Claude (Cloudflare MCP, Step by Step)
6 min read
Tutorial
How to Search for Domains With an AI Agent (Cross-Registrar Workflow)
7 min read