A design flaw in the file transfer interaction between a client host and a MySQL server allows an attacker running a malicious MySQL server to get access to any data the connected client has read access to. The problem is with the LOAD DATA statement used with the LOCAL modifier, which is referenced as a security risk in the MySQL documentation. In this case, an attacker can use the flaw to steal the /etc/passwd file, which holds user account records. The same applies with web servers, which act as clients when connecting to a. MySQL server.
Source: https://www.bleepingcomputer.com/news/security/mysql-design-flaw-allows-malicious-servers-to-steal-files-from-clients/