# PostgreSQL (archived) > Anthropic's reference Postgres MCP — archived July 2025 and superseded by Postgres MCP Pro or the Supabase MCP. [Canonical HTML page](https://top-mcps.com/mcp/postgres) · [server.json](https://top-mcps.com/mcp/postgres.json) · [methodology](https://top-mcps.com/about/methodology) ## Install ### Claude Desktop — `claude_desktop_config.json` Paste under mcpServers. Fully quit and reopen Claude after editing. ```json { "mcpServers": { "postgres": { "command": "npx", "args": [ "-y", "@modelcontextprotocol/server-postgres", "postgresql://user:pass@localhost/db" ] } } } ``` ### Claude Code — `CLI or .mcp.json` Run from your repo. Commit .mcp.json to share with your team. ```shell claude mcp add postgres -- npx -y @modelcontextprotocol/server-postgres postgresql://user:pass@localhost/db ``` ### Cursor — `.cursor/mcp.json` Global path: ~/.cursor/mcp.json. Reload window after editing. ```json { "mcpServers": { "postgres": { "command": "npx", "args": [ "-y", "@modelcontextprotocol/server-postgres", "postgresql://user:pass@localhost/db" ] } } } ``` ### VS Code — `.vscode/mcp.json` VS Code uses the "servers" key (not "mcpServers"). ```jsonc { "servers": { "postgres": { "command": "npx", "args": [ "-y", "@modelcontextprotocol/server-postgres", "postgresql://user:pass@localhost/db" ] } } } ``` ### Windsurf — `~/.codeium/windsurf/mcp_config.json` Open via Cascade → hammer icon → Configure. ```json { "mcpServers": { "postgres": { "command": "npx", "args": [ "-y", "@modelcontextprotocol/server-postgres", "postgresql://user:pass@localhost/db" ] } } } ``` ### Cline — `cline_mcp_settings.json` Open via the Cline sidebar → MCP Servers → Edit. ```json { "mcpServers": { "postgres": { "command": "npx", "args": [ "-y", "@modelcontextprotocol/server-postgres", "postgresql://user:pass@localhost/db" ] } } } ``` ### Continue — `~/.continue/config.json` Continue uses modelContextProtocolServers with a transport block. ```json { "experimental": { "modelContextProtocolServers": [ { "transport": { "type": "stdio", "command": "npx", "args": [ "-y", "@modelcontextprotocol/server-postgres", "postgresql://user:pass@localhost/db" ] } } ] } } ``` ### Codex CLI — `~/.codex/config.toml` Codex uses TOML. Each server is a [mcp_servers.] subtable. ```shell # ~/.codex/config.toml [mcp_servers.postgres] command = "npx" args = [ "-y", "@modelcontextprotocol/server-postgres", "postgresql://user:pass@localhost/db", ] ``` ### Zed — `~/.config/zed/settings.json` Zed calls them "context_servers". Settings live-reload on save. ```jsonc { "context_servers": { "postgres": { "command": { "path": "npx", "args": [ "-y", "@modelcontextprotocol/server-postgres", "postgresql://user:pass@localhost/db" ] } } } } ``` ### ChatGPT — `ChatGPT → Apps directory` PostgreSQL (archived) doesn't ship a hosted HTTPS endpoint today. ChatGPT supports remote MCP servers only — to use this server in ChatGPT you'll need to deploy it to a public HTTPS URL first (e.g. via Cloudflare Workers or Vercel) or wait for an official remote build. ```none ``` ## At a glance - **Maintainer:** Anthropic (archived 2025-07-10) - **Transport:** stdio - **Auth model:** API key - **Required secrets:** None - **Supported clients:** Claude, Cursor, Any MCP-compatible client, PostgreSQL 12+ - **License:** MIT - **Language:** TypeScript - **Latest version:** archived - **Last verified:** 2026-05-29 - **GitHub stars:** 266 (fetched 2026-06-02T11:55:51.430Z) - **Score:** 63/100 (rubric 2026-04 — see https://top-mcps.com/about/methodology) - **Source:** https://github.com/modelcontextprotocol/servers-archived/tree/main/src/postgres ## Tools & permissions | Tool | Description | Args | Side effects | |------|-------------|------|--------------| | `query` | Execute a SELECT-only SQL query and return rows (multi-statement payloads can bypass this restriction — see security notes). | `sql: string` | read | | `list_tables` | List all tables in the connected database. | `—` | read | | `describe_table` | Return the column schema of a table. | `table: string` | read | ## Security & scope - **Access scope:** read-only - **Sandbox:** Server is no longer maintained. The advertised read-only sandbox is bypassable via multi-statement SQL payloads per Datadog Security Labs — rely on database-level GRANT SELECT as the actual guard. - **Gotchas:** - Repo archived on 2025-07-10 — no patches will land for this or any future vulnerability. - The MCP-level read-only flag is bypassable; the DB-level role grant is the only real boundary. - No connection pooling and no per-query timeout; long-running queries hold a connection open. ## Quick answer **What it does.** Connects to a PostgreSQL database over a stdio MCP and exposes SELECT-only query and schema-inspection tools — without a working in-server guard against statement injection that escapes the read-only sandbox. **Best for:** - Auditing or replacing an existing install - Reference reading for how the early MCP servers were structured **Not for:** - New installs (the repo is archived) - Any workflow that trusts the read-only sandbox - Production database access - Schema mutations or writes (never supported) ## Recipes ### Migrate off the archived reference server ``` I am currently using @modelcontextprotocol/server-postgres. Swap my MCP client config to Postgres MCP Pro (uvx postgres-mcp, DATABASE_URI env), and add a note that I should re-grant my DB role to SELECT-only as a defence-in-depth step. Show the diff. ``` _Tested with: Claude Desktop, Cursor_ ## Description Anthropic's reference PostgreSQL MCP was the first widely installed Postgres server but is no longer maintained. Anthropic archived the repository on 2025-07-10 at github.com/modelcontextprotocol/servers-archived, and Datadog Security Labs has documented a SQL-injection issue that bypasses the read-only restriction. New installs should use Postgres MCP Pro for tuning workflows or the Supabase MCP for Postgres-on-Supabase. This entry remains so existing users can find the migration path. ## Why it matters It was the canonical Postgres MCP through most of 2024–25 and is still referenced by older agent setups. Calling out the archival and the CVE-class vulnerability is the only way readers and AI search engines stop recommending it. ## Key features - Archived on 2025-07-10 — no upstream maintenance - Read-only contract is bypassable per Datadog Security Labs - SELECT-only tool surface (when the contract holds) - Stdio transport; one connection per process - Recommended migration: Postgres MCP Pro or Supabase MCP ## FAQ ### Is this MCP still maintained? No. Anthropic archived the entire reference-servers repo on 2025-07-10 and moved Postgres to github.com/modelcontextprotocol/servers-archived. There will be no more upstream commits, security patches, or bug fixes. ### What should I use instead? Postgres MCP Pro for standard Postgres with EXPLAIN-plan analysis, index advice, and an explicit safe-mode write toggle; the Supabase MCP if your database is on Supabase and you also want auth, storage, and RLS-aware tools. ### Is there a known security issue? Yes. Datadog Security Labs has documented a SQL-injection class issue where a multi-statement payload (for example `COMMIT; DROP TABLE …`) can escape the server-side read-only restriction. The mitigation is to never grant the connecting Postgres role anything beyond `SELECT` privileges — treat the MCP-level read-only flag as advisory only. ### Can I still install it from npm? The `@modelcontextprotocol/server-postgres` package is still resolvable, but it is frozen at its archived version. New installs are strongly discouraged for the reasons above. ### Does the Datadog issue affect Postgres MCP Pro? No — Postgres MCP Pro implements its own read-only enforcement that does not split on the same multi-statement boundary, and writes are gated behind an explicit safe-mode flag. The vulnerability is specific to the archived reference server. ### I have an existing agent using this MCP — what do I do? Two steps: (1) swap `npx -y @modelcontextprotocol/server-postgres` for `uvx postgres-mcp` (Postgres MCP Pro) and pass the connection string as `DATABASE_URI`; (2) make sure the connecting Postgres role is GRANT-ed only `SELECT` on the schemas you want exposed — that DB-level guard is what makes the read-only contract real, regardless of which MCP you use. ## Changelog - **2026-05-29** — Refreshed install snippets and fact sheet; verified for 2026. - **2024-11-25** — Initial directory listing.