I received a notification today that the preview TDS endpoint had been disabled on my environment because of a security vulnerability.
Update 2020-10-22 – the TDS endpoint has now been re-enabled 😊
Sure enough, even though the Power Platform Admin Center shows the endpoint as enabled, when I try to connect to it I get an error indicating it’s disabled.
It appears that Microsoft have identified a method to bypass the row-level security. A user that can read one record of an entity can effectively raise their permissions to read all those records.
Hopefully this will be resolved soon. I’d also be interested to hear if the same exploit affects the filtered views for on-premise systems.
In the meantime you can still run your SQL queries using SQL 4 CDS, leaving the option to use the T-SQL endpoint disabled. Queries run via SQL 4 CDS are not affected by this vulnerability.