Exposed: Critical Security Vulnerabilities in AI's New Communication Standard - MCP Under Scrutiny
MCP concentrates every AI-agent-to-tool interaction through one interface, and that makes it a new attack surface. A breakdown of the vulnerabilities and how to secure them.

Standardizing how AI agents reach external tools also standardizes how attackers reach them. The Model Context Protocol (MCP), Anthropic's open standard for connecting AI agents to external data and tools, routes every agent-to-tool interaction through one interface, and that concentration creates a new, high-value target surface. A flaw in the protocol itself, or in a common implementation pattern, could propagate across every system that adopts MCP.
MCP is an open standard designed to give AI agents a unified way to connect with external capabilities, replacing the current landscape of bespoke, one-off integrations. Often analogized to USB-C for AI, it resolves the "M×N" integration problem, where M applications each need custom integrations for N tools, by establishing a common communication layer and turning it into a more manageable "M+N" problem where applications implement MCP clients and tools expose MCP servers.
Standardization promises interoperability, reusability, and potentially stronger security governance. It also concentrates risk. Standardizing the interface between AI reasoning components (Large Language Models, or LLMs) and external execution or data retrieval inherently creates one high-value choke point, and routing every interaction through a single protocol is what makes rigorous security scrutiny non-negotiable.
Understanding Model Context Protocol (MCP)
A thorough security analysis of MCP requires a foundational understanding of its definition, architecture, communication flow, and core functionalities, particularly concerning context management.
Definition and Core Purpose:
Model Context Protocol (MCP) is formally defined as an open standard protocol designed to facilitate structured, secure, and consistent interaction between AI models or agents and external systems. Its fundamental purpose is to act as a universal adapter, enabling AI agents to invoke functions, retrieve data, or utilize predefined prompts from external services without requiring custom integration code for each specific tool or API. Built upon the JSON-RPC 2.0 specification, MCP provides a standardized "language" for these interactions, aiming to simplify the development and deployment of context-aware AI applications. It is designed to provide AI models with necessary context and, crucially, the ability to take tangible actions in other applications.
Architecture:
The MCP framework operates on a client-server architecture comprising three primary components:
MCP Host: This is the primary application that integrates the AI agent and utilizes MCP for external interactions. Examples include AI-powered chatbots, Integrated Development Environments (IDEs) like Cursor, or custom agentic systems. The Host is typically responsible for managing MCP Client instances and enforcing security policies and permissions related to tool usage.
MCP Client: Residing within the Host application, the MCP Client manages the communication with a specific MCP Server according to the protocol specification. Each client typically maintains a dedicated, one-to-one connection with a single MCP Server. Its roles include connection management, capability discovery, request formatting and forwarding, and handling responses from the server.
MCP Server: An MCP Server is a lightweight program that acts as an intermediary or wrapper around external systems. It exposes specific functionalities (e.g., tools, data resources) from these systems (which could be local files, databases, or remote APIs like Salesforce or Slack) via the MCP protocol. The server translates MCP requests into actions on the backend system and returns results in the standardized MCP format.
This architectural separation introduces distinct trust boundaries. The security of an MCP-enabled system depends not only on the protocol's design but critically on the secure implementation, configuration, and runtime operation of each individual component (Host, Client, Server) and the communication channels connecting them. A vulnerability in any single component can potentially compromise the entire interaction chain. For instance, a compromised Host might improperly manage client permissions, while a vulnerable Server could expose underlying backend systems or manipulate data returned to the agent.
Communication Flow and Methods:
A typical interaction sequence using MCP involves several steps:
Initialization: The Host application starts and initializes one or more MCP Clients. Each client establishes a connection with its corresponding MCP Server, performing a handshake to exchange protocol versions and capabilities.
Discovery: The Client queries the Server (e.g., using a tools/list method) to discover the available tools, resources, and prompts the server offers, along with their descriptions and schemas. This information allows the Host/agent to understand what actions are possible.
LLM Tool Selection: When a user request requires external interaction (e.g., "What's the weather in London?"), the AI model (often an LLM) within the Host determines, typically via function calling capabilities or prompt engineering, which specific tool should be invoked and with what parameters (e.g., get_weather(location="London")).
Invocation: The Host instructs the appropriate MCP Client to send an invocation request (e.g., tools/call with tool name and parameters) to the MCP Server.
Result Return: The MCP Server executes the requested action on the backend system and sends the result back to the MCP Client. The Client relays this result to the Host, which then integrates it into the AI agent's context. The agent can use this new information (e.g., "The weather in London is 15°C and cloudy") to formulate its final response to the user or continue a multi-step task.
Communication between MCP Clients and Servers primarily uses two methods:
stdio (Standard Input/Output): Used when the Client and Server run on the same machine, suitable for local integrations (e.g., accessing local files).
Streamable HTTP: Used for remote communication. The client sends messages by HTTP POST and the server streams responses back, optionally over Server-Sent Events, on a single endpoint. This transport replaced the older standalone HTTP+SSE transport in the March 2025 spec revision, and as of 2026 stdio and Streamable HTTP are the only two transports the specification defines. Securing remote channels with TLS is mandatory, and the June 2025 spec also builds in an OAuth 2.1 authorization layer for HTTP-based servers.
Key Functionalities (Context Management Primitives):
MCP distinguishes between different types of capabilities that servers can expose, refining patterns seen in agent development:
Tools (Model-controlled): These represent actions or functions that the AI model decides to invoke based on its reasoning and the user's request (akin to function calling). Examples include sending an email, booking a flight, or querying an API.
Resources (Application-controlled): These represent data sources that the Host application might provide as context to the AI model, often without explicit model request (similar to GET endpoints in REST APIs). They provide data without significant side effects.
Prompts (User-controlled): Pre-defined templates designed to guide the user or the model in utilizing specific tools or resources effectively.
This distinction between model-controlled Tools and application-controlled Resources carries significant security implications. Attacks targeting the LLM's decision-making process, such as prompt injection, would primarily aim to manipulate the selection and parameters of Tools, tricking the agent into performing undesired actions.
Conversely, vulnerabilities in the Host application's logic or the MCP Server's implementation might focus on bypassing access controls for Resources or directly invoking Tools without legitimate LLM intent, potentially exposing sensitive data or triggering actions illicitly. Security strategies must therefore address both protecting the LLM's reasoning for Tool selection and securing the implementation and access control mechanisms for both Tools and Resources across the entire MCP ecosystem.
Role in Context Management:
Fundamentally, MCP serves as a structured protocol for managing the context provided to AI agents and enabling them to act based on that context. It standardizes how information about available actions (tool discovery), the invocation of those actions, and the retrieval of external data (context) are handled. By providing this standardized layer, MCP aims to enhance LLM capabilities with external knowledge and action-taking abilities in a scalable and potentially more secure manner compared to ad-hoc integrations.
General Security Vulnerabilities in AI Agents
While MCP introduces specific architectural elements, systems employing it remain susceptible to the broader category of security vulnerabilities common to AI and LLM-based applications. Understanding this baseline threat landscape is crucial before examining MCP-specific issues. The OWASP Top 10 for Large Language Model Applications provides an authoritative framework for identifying these prevalent risks. This list, developed through collaboration among numerous experts, is particularly relevant given that the rapid adoption of AI technologies often outpaces the development of corresponding security measures. The identifiers used below follow OWASP's earlier LLM Top 10 numbering; the 2025 revision of the list renumbered several entries (for example, Sensitive Information Disclosure moved to LLM02 and Excessive Agency to LLM06), so treat the codes as a mapping aid rather than fixed labels.
Key vulnerabilities from the OWASP LLM Top 10 and other relevant sources applicable to AI agents (including those using MCP) include:
LLM01: Prompt Injection: This involves manipulating the inputs provided to the LLM to cause unintended behavior. Attackers might aim to bypass safety guardrails (a technique sometimes called "jailbreaking" or using methods like DAN - "Do Anything Now"), extract sensitive information, influence agent decisions, or coerce the agent into executing malicious actions. Prompt injection can be direct, where the attacker crafts malicious instructions within their own input to overwrite or circumvent system prompts, or indirect, where the malicious instructions are hidden within external data sources (e.g., websites, documents) that the agent processes. In the MCP context, a successful injection could trick the agent into misusing an MCP Tool.
LLM02/LLM05: Insecure Output Handling: This vulnerability arises when the outputs generated by the LLM or returned by an external tool (potentially via MCP) are not properly validated or sanitized before being used by downstream components or systems. Treating LLM/tool output as trusted can lead to various injection attacks like Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF), Server-Side Request Forgery (SSRF), or even Remote Code Execution (RCE) if the output is interpreted or executed by another part of the application or a connected system. The principle is to treat LLM and tool outputs as untrusted user input.
LLM03/LLM04: Data Poisoning (Training & Context): Attackers may attempt to manipulate the data used to train the AI model or the contextual data provided to it at runtime. Training data poisoning can introduce biases, vulnerabilities, or backdoors into the model itself, degrading its performance or causing harmful outputs. Context data poisoning, potentially delivered via compromised MCP Resources or Tools, can mislead the agent's reasoning or decision-making process for a specific task. Securing the data supply chain is critical.
Model Evasion / Adversarial Attacks: These attacks involve crafting specific inputs designed to deceive the AI model's perception or classification capabilities, causing it to make incorrect predictions or bypass security filters, without necessarily modifying the model itself. For example, subtle modifications to an image could cause an object recognition system to misclassify it.
LLM04: Model Denial of Service (DoS): Attackers can target the LLM or its supporting infrastructure (including potentially MCP servers or the tools they access) with resource-intensive queries or a high volume of requests. Given that LLM inference can be computationally expensive, such attacks can degrade service quality, increase operational costs significantly, or render the agent unavailable.
LLM03/LLM05: Supply Chain Vulnerabilities: The complex lifecycle of AI applications relies on numerous components, including pre-trained models, training datasets, third-party libraries, APIs, and plugins. Vulnerabilities in any part of this supply chain can compromise the security of the final application. This includes vulnerabilities in the software implementing MCP servers, the libraries used by MCP components, or the external tools and APIs that MCP servers wrap. Maintaining a Machine Learning Bill of Materials (ML-BOM) can help track components.
LLM02/LLM06: Sensitive Information Disclosure: LLMs might inadvertently reveal confidential or sensitive information in their responses. This data could originate from the model's training data or from sensitive context provided during the interaction, potentially via MCP mechanisms. Such disclosures can lead to privacy violations, regulatory penalties, and loss of competitive advantage.
LLM06/LLM08: Excessive Agency / Permission Issues: This critical vulnerability occurs when an AI agent, or plugins/tools it uses, are granted more permissions or capabilities than necessary for their intended function (violating the Principle of Least Privilege). Excessive agency allows agents to perform unauthorized or harmful actions if compromised or misused. Examples include a plugin designed to read files also having write/delete permissions, or an agent having access to all user data instead of just the current user's. MCP, by design, facilitates agency, making careful permission management paramount.
LLM09: Overreliance: This risk stems from users or systems placing undue trust in the outputs or actions of AI agents without sufficient critical evaluation or human oversight. Overreliance can lead to poor decision-making based on inaccurate or biased AI outputs, propagation of misinformation, or failure to catch security issues.
LLM07/LLM10: Insecure Plugins/Tool Integration: Vulnerabilities can be introduced through the external tools, plugins, or APIs that the AI agent interacts with, potentially via MCP. If these external components have insecure designs, handle inputs improperly, or lack sufficient access controls, they can be exploited through the agent, potentially leading to severe consequences like RCE.
LLM10: Model Theft / Extraction: Attackers may try to steal proprietary AI models or reconstruct their parameters and architecture. This can be done by exploiting vulnerabilities in the system hosting the model or through inference attacks, where attackers send numerous queries and analyze the responses to reverse-engineer the model's behavior.
While the OWASP LLM Top 10 provides a robust checklist, it's crucial to recognize how these vulnerabilities manifest specifically within the MCP framework. MCP introduces distinct mechanisms, such as standardized discovery (tools/list), invocation (tools/call), and the client-server architecture, which become the conduits or targets for these general attacks. For example, Prompt Injection might aim to trick the LLM into invoking a dangerous MCP Tool. Insecure Output Handling applies directly to data received from an MCP Server via a tool call. Supply Chain risks encompass the MCP Servers themselves and the tools they expose. Excessive Agency is intrinsically linked to the permissions granted to MCP Clients and Servers and the scope of the tools they access via the protocol. Therefore, MCP does not eliminate these fundamental risks but provides a specific, standardized structure through which they can be exploited.
The following table maps these general OWASP LLM vulnerabilities to their specific relevance within the MCP context:
Table 1: OWASP Top 10 for LLM Applications Mapped to MCP Context
| OWASP ID & Name | Description | Relevance/Manifestation within MCP Framework |
|---|---|---|
| LLM01: Prompt Injection | Manipulating LLM inputs to cause unintended actions or bypass controls. | Can be used to trick the agent's LLM into selecting/invoking malicious or inappropriate MCP Tools, potentially with harmful parameters, or revealing sensitive context data. |
| LLM02: Insecure Output Handling | Failing to validate/sanitize LLM outputs before use in downstream systems. (Also LLM05) | Applies to outputs received from MCP Servers (tool results, resource data). Failure to validate can lead to injection attacks (XSS, RCE etc.) in the Host application or connected systems. |
| LLM03: Training Data Poisoning | Tampering with training data to introduce vulnerabilities or biases. (Also LLM04) | Affects the core LLM used by the agent. Poisoned models might misuse MCP tools or misinterpret context provided via MCP. |
| LLM04: Model Denial of Service | Resource exhaustion attacks targeting the LLM or infrastructure. | Can target the agent's LLM, but also specifically MCP Servers (via excessive tools/list or tools/call requests) or the underlying tools/APIs accessed via MCP, disrupting context/action capabilities. |
| LLM05: Supply Chain Vulnerabilities | Risks from compromised components, models, datasets, or plugins. (Also LLM03) | Includes vulnerabilities in MCP Client/Server implementations, libraries used, the tools/APIs wrapped by MCP Servers, or compromised pre-trained models used by the agent. |
| LLM06: Sensitive Information Disclosure | LLM inadvertently revealing confidential data in responses. (Also LLM02) | Sensitive data provided to the agent as context via MCP (from Resources or Tool results) could be leaked in the LLM's subsequent output if not properly handled/scrubbed. |
| LLM07: Insecure Plugin Design | Vulnerabilities in plugins due to insecure inputs or insufficient access control. (Also LLM10) | Directly applies to the design of tools exposed via MCP Servers. Poorly designed tools (e.g., accepting unsanitized input, lacking proper checks) can be exploited through MCP interactions. |
| LLM08: Excessive Agency | Granting LLMs/plugins excessive permissions or autonomy. (Also LLM06) | Highly critical for MCP, which enables agency. Overly broad permissions assigned by the Host to MCP Clients, or by Servers to exposed Tools, can lead to severe abuse if the agent is compromised. |
| LLM09: Overreliance | Blindly trusting LLM outputs/actions without critical assessment. | Users or systems might over-trust actions performed by an agent via MCP Tools, failing to implement necessary checks or human oversight for critical operations. |
| LLM10: Model Theft | Unauthorized access, copying, or extraction of proprietary LLMs. | Primarily targets the LLM itself, but vulnerabilities in MCP components (e.g., allowing excessive querying or exposing internal model details) could potentially facilitate model extraction attempts. |
Among these, the concept of "Excessive Agency" (LLM08) warrants special attention within the MCP framework. MCP's explicit purpose is to empower AI agents to take real-world actions through external tools. This inherent empowerment means that defining and rigorously enforcing appropriate operational boundaries (following the principle of least privilege) is not just a best practice but a fundamental necessity. The challenge is magnified by MCP's support for dynamic tool discovery, where an agent might encounter and attempt to use tools not known at design time. Managing permissions effectively across a potentially large and evolving set of tools offered by various MCP servers, governed by the Host application, presents a significant security governance hurdle. The very design goal of MCP, enabling action via standardized tool use, inherently amplifies the risk associated with excessive agency, demanding sophisticated, potentially dynamic permission models and robust enforcement mechanisms across all components.
MCP-Specific Security Challenges and Attack Vectors
Beyond the general AI vulnerabilities that manifest within the MCP framework, the protocol's specific architecture and its function as a context management layer introduce unique security challenges and attack vectors. These arise from the way MCP structures interactions, manages context flow, and enables capabilities like dynamic discovery.
Context Management as a Vulnerability Surface:
MCP standardizes and centralizes the exchange of context between AI agents and external systems. This managed context, encompassing data retrieved from resources, parameters passed to tools, and results returned, becomes a primary target for attackers. General research into context management for AI agents highlights potential weaknesses; failures in ensuring context relevance, managing context permanence, or correctly identifying critical context can be exploited if security is not maintained. Within MCP, the integrity and confidentiality of this context must be protected as it flows through the Host, Client, and Server components and across communication channels. Any weakness in this chain can lead to context-related attacks.
Attack Vectors Targeting MCP-Agent Interactions:
Several attack vectors specifically target the mechanisms and interactions defined by MCP:
Context Manipulation/Poisoning via MCP: Attackers could seek to inject malicious data or misleading information into the agent's context through MCP channels, aiming to corrupt the agent's understanding or manipulate its subsequent actions. This differs from direct prompt injection against the LLM itself. Instead, it targets the data the LLM reasons over. Potential methods include:
- Compromising an MCP Server or the underlying tool/data source it wraps, causing it to return malicious or manipulated data in response to a legitimate tools/call or resource request.
- Exploiting vulnerabilities to directly tamper with data intended for an MCP Resource before it reaches the agent. This vector leverages MCP's role as a data conduit to achieve data poisoning effects.
Unauthorized Context/Tool Access: Exploiting flaws in the authentication, authorization, or session management mechanisms implemented within the MCP ecosystem (Host, Client, or Server). An attacker might bypass intended controls to:
- Access sensitive data exposed via MCP Resources that the agent or user is not authorized to see.
- Invoke MCP Tools that the agent or user is not permitted to use, potentially leading to unauthorized actions or system compromise. This relates to the general risk of Excessive Agency but specifically focuses on exploiting weaknesses in the access control implementations within the MCP components themselves.
Denial-of-Service (DoS) on MCP Infrastructure: Specifically targeting components of the MCP infrastructure to disrupt the agent's ability to interact with the external world. This could involve:
- Overwhelming MCP Servers with a high volume of discovery (tools/list) or invocation (tools/call) requests.
- Sending malformed requests that exploit parsing or handling flaws in MCP Client or Server implementations.
- Targeting the underlying resources or tools accessed by MCP Servers, indirectly causing the MCP interactions to fail. This is a specific manifestation of Model DoS focused on the MCP communication layer.
Exploiting the Discovery Mechanism: The dynamic discovery feature (tools/list), while enabling flexibility, can be abused. A malicious actor could set up a rogue MCP Server that advertises harmful or deceptive tools. If an MCP Client connects to this server (perhaps due to misconfiguration or a supply chain compromise where a legitimate-looking server is actually malicious), the agent might be tricked into invoking these dangerous tools, leading to data theft, code execution, or other compromises. This leverages a core MCP feature for malicious ends and relates to Supply Chain risks. Robust server vetting and client-side policies regarding trusted servers are essential countermeasures.
Attacks via MCP Tools/Resources (Passthrough Exploitation): MCP acts as a standardized interface to potentially complex backend systems. An attacker who gains control over the agent's ability to invoke MCP tools might use this access to probe for and exploit vulnerabilities in the underlying applications or APIs that the MCP Server wraps. The standardization provided by MCP might inadvertently lower the bar for interacting with diverse backend systems once initial access to the agent's MCP client capabilities is achieved. This relates to Insecure Plugin Design but highlights MCP acting as a potential pivot point.
Communication Channel Attacks: If the communication links between MCP Clients and Servers (particularly remote HTTP/SSE connections) are not properly secured (e.g., lack of mandatory TLS encryption, weak cipher suites), an attacker could intercept, eavesdrop on, or manipulate the JSON-RPC messages exchanged. This could expose sensitive data within requests/responses or allow injection of malicious commands. Even local stdio communication needs protection against unauthorized access or interference on the host machine.
Identity Spoofing: Malicious entities could attempt to masquerade as legitimate MCP Servers to trick clients into connecting, or as legitimate MCP Clients to send unauthorized requests to servers. This necessitates strong, mutual authentication mechanisms between clients and servers.
The abstraction layer provided by MCP, intended to simplify integration, can paradoxically obscure underlying risks. An agent developer interacting with a tool via its MCP interface might not have full visibility into the security posture or potential vulnerabilities of the actual backend system the MCP Server interacts with. They rely on the server's advertised description and implementation. If the server is poorly implemented, misconfigured, or wraps an insecure tool, the agent might invoke actions with unforeseen and severe security consequences. Secure use of MCP therefore requires trust in, or verification of, not only the MCP components but also the underlying systems they connect to.
Furthermore, the dynamic discovery capability presents a fundamental security governance challenge. How can a Host application, responsible for permissions, effectively pre-authorize or enforce policies on tools it might only learn about at runtime? Static allow/deny lists for servers or tools might be too rigid, hindering flexibility, or too permissive, increasing risk. This inherent dynamism suggests a need for more sophisticated security models, potentially involving runtime trust negotiation, risk-based access control based on tool metadata, context-aware policies enforced by the Host, or mandatory user confirmation for invoking newly discovered or high-risk tools. The flexibility offered by MCP's design necessitates equally adaptive and robust security controls.
The following table summarizes these MCP-specific attack vectors:
Table 2: MCP-Specific Attack Vectors and Descriptions
| Attack Vector | Description | Targeted MCP Component(s) | Related General Vulnerability (OWASP LLM Top 10) |
|---|---|---|---|
| Context Manipulation/Poisoning | Injecting malicious/misleading data into agent context via MCP responses or resources. | Server, Client (processing response) | LLM03/LLM04 (Data Poisoning) |
| Unauthorized Context/Tool Access | Bypassing MCP authentication/authorization to access restricted data/tools. | Host (permissions), Client, Server (ACLs) | LLM06/LLM08 (Excessive Agency) |
| DoS on MCP Infrastructure | Overwhelming MCP clients/servers or exploiting protocol handling flaws to disrupt service. | Client, Server, Communication Channel | LLM04 (Model DoS) |
| Discovery Mechanism Exploitation | Malicious servers advertising harmful tools; clients connecting and invoking them. | Client (trust decision), Malicious Server | LLM05 (Supply Chain), LLM07 (Insecure Plugin) |
| Attacks via MCP Tools (Passthrough) | Using MCP access to probe/exploit vulnerabilities in the underlying systems wrapped by servers. | Server (as gateway), Underlying Tool/API | LLM07/LLM10 (Insecure Plugin) |
| Communication Channel Attacks | Intercepting or manipulating data exchanged between client and server over unsecured channels. | Communication Channel (stdio, HTTP/SSE) | LLM06 (Info Disclosure), General Network Security |
| Identity Spoofing | Malicious entities masquerading as legitimate MCP clients or servers. | Client, Server | General Authentication/Identity Management |
Data Privacy and Confidentiality Risks with MCP
AI agents often require access to sensitive information, such as Personally Identifiable Information (PII), financial records, health data, or confidential business strategies, to perform meaningful tasks effectively. MCP, as a protocol designed to connect agents to external data and tools, inherently becomes a conduit for this sensitive data, introducing significant privacy and confidentiality risks that must be carefully managed.
Data Flow and Exposure Points:
Sensitive data can enter and flow through the MCP ecosystem in various ways:
- Included in user prompts directed at the agent.
- Retrieved from external databases or files via MCP Resources.
- Passed as parameters (arguments) within tools/call requests to MCP Servers.
- Contained within the results returned by MCP Tools or Resources.
This data traverses multiple components: from the user/environment to the Host, through the MCP Client, across the communication channel to the MCP Server, potentially processed by the backend tool/system, and then back along the same path. Each component and communication link in this chain represents a potential point where sensitive data could be exposed, mishandled, or intercepted. The intermediary nature of MCP, inserting Server and Client components between the agent and the ultimate data source/sink, inherently increases the number of handling points compared to a direct integration. While standardization is the goal, this increased number of hops expands the attack surface for data breaches.
Specific Risks of Exposure:
Leakage via LLM Output: If sensitive data provided as context via MCP (e.g., retrieved from a Resource or returned by a Tool) is processed by the agent's core LLM, the model might inadvertently include this information in its subsequent responses to the user or in calls to other tools. This is a direct manifestation of the LLM06 Sensitive Information Disclosure vulnerability. Robust output filtering and data scrubbing techniques are necessary.
Leakage via MCP Components: Vulnerabilities, misconfigurations (e.g., excessive logging), or compromises within the Host, MCP Client, or MCP Server software could lead to the logging, interception, or exfiltration of sensitive data passing through them. Lack of encryption for data in transit over communication channels (especially HTTP/SSE) or inadequate protection for data at rest (e.g., cached context) within these components poses a significant risk.
Leakage via Tool Execution: The external tool or API invoked by the MCP Server might itself have security flaws or poor data handling practices. Even if the MCP interaction itself is secure, the ultimate backend system could leak or misuse the sensitive data passed to it. MCP standardizes the invocation, but does not inherently guarantee the security practices of the invoked service.
Unauthorized Access: As detailed in Section IV, attackers who successfully exploit vulnerabilities to gain unauthorized access to MCP Resources or Tool results can directly exfiltrate sensitive data contained within the agent's context.
Compliance and Trust Implications:
The potential for sensitive data exposure through MCP mechanisms has serious implications for regulatory compliance. Mandates like the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), Health Insurance Portability and Accountability Act (HIPAA), and others impose strict requirements on handling personal and sensitive data. Organizations deploying MCP must ensure their implementations adhere to principles like data minimization (collecting and processing only necessary data), purpose limitation, data retention limits, and implement appropriate technical safeguards like anonymization or pseudonymization where feasible. Failure to do so can result in significant legal penalties and reputational damage. Furthermore, data privacy is a cornerstone of user trust. If users perceive that AI agents using MCP might leak or misuse their personal information, it can significantly hinder adoption and engagement with these powerful technologies.
Risks Associated with Write Operations:
MCP is not limited to reading data; it explicitly supports enabling AI agents to write data back to external systems, such as updating CRM records, sending emails or messages, or modifying database entries. This capability introduces substantial integrity and privacy risks beyond simple data disclosure. An agent tricked by prompt injection or context manipulation could be coerced into:
- Writing false or malicious information into a system of record (data integrity violation).
- Overwriting correct data with incorrect or harmful data (data integrity violation).
- Injecting one user's private information into another user's records or communications (privacy violation).
- Sending sensitive data to unauthorized recipients via messaging or email tools (privacy violation).
These actions, performed by the agent under the auspices of its legitimate function, can be particularly insidious and difficult to detect compared to direct external attacks. Granting write capabilities via MCP tools therefore requires extreme caution, demanding robust input validation, strict least-privilege access controls for write operations, comprehensive auditing, and potentially mandatory human-in-the-loop confirmation steps for any action that modifies critical data or disseminates sensitive information.
Security Implications of Complexity in Multi-Agent and Session Scenarios
The utility of AI agents is often envisioned beyond single-user, single-task interactions. Future applications increasingly involve multi-agent systems where multiple agents collaborate, or scenarios where a single agent infrastructure must serve multiple users concurrently, each with their own session and context. While MCP could potentially serve as a communication backbone in such complex scenarios, its use introduces significant security challenges related to context management, permissions, and resource allocation at scale.
Context Isolation:
A paramount requirement in any multi-tenant or multi-agent system is strict isolation between the contexts belonging to different users or agents operating within the same infrastructure. If an MCP Host application manages interactions for multiple users or agents concurrently, failure to maintain this isolation could have severe consequences:
Data Leakage: Sensitive information from one user's session or one agent's private context could inadvertently "bleed" into another session or be accessed by another agent. This could occur through shared memory, improper handling of concurrent requests to MCP clients/servers, or flaws in context caching mechanisms.
Action Misattribution/Interference: An agent might take an action within one user's session based on instructions or data erroneously obtained from a different user's context. Similarly, collaborating agents might interfere with each other's state or actions if shared context is not managed securely.
Research highlights the critical need for robust session management and data filtering to prevent such leaks and mis-assignments in agentic systems.
Permission Management Complexity:
Managing access controls, determining which user, session, or agent is permitted to interact with which MCP Server and invoke which specific Tools, becomes exponentially more complex in multi-agent or multi-session environments. Static permission models may be insufficient. Dynamic assignment and revocation of permissions based on session context, user roles, or inter-agent trust relationships are likely required. Ensuring fine-grained segregation of duties and enforcing least privilege across potentially hundreds or thousands of dynamically interacting entities is a formidable challenge. The general risks of Excessive Agency are significantly amplified in these scaled-up scenarios, aligning with research identifying challenges in managing interactions and trust in multi-agent ecosystems.
Resource Contention and Denial of Service:
When multiple agents or user sessions concurrently access the same MCP Servers or the underlying tools and APIs they wrap, it can lead to resource contention. Without proper management, this can result in performance degradation (increased latency) for all users or even denial of service if shared resources become exhausted. Effective load balancing, resource allocation quotas, and granular rate limiting applied per-user, per-session, or per-agent at the MCP Server level (and potentially within the Host) are necessary to ensure availability and fair usage.
Session Management Security:
Securely managing the lifecycle of user sessions or agent interactions within the MCP framework is crucial. Standard web security concerns like session fixation, session hijacking (if session identifiers are exposed or predictable), or improper session termination could potentially apply, depending on how the Host application manages state and authentication across interactions involving MCP. Sessionless approaches might mitigate some risks but introduce others, such as the need for meticulous filtering of private data before potential model fine-tuning.
A key consideration arising from the available information is that the MCP specification itself, as described, appears primarily focused on the mechanics of the 1:1 client-server connection and interaction. It does not seem to explicitly define standardized protocol-level mechanisms for handling complex multi-tenant context isolation, secure inter-agent context sharing, or dynamic permission management across multiple logical sessions using shared infrastructure. This implies that the significant burden of implementing these critical security features likely falls upon the developers of the MCP Host application. Relying on custom, application-specific implementations for such complex security requirements increases the risk of inconsistencies, design flaws, and vulnerabilities compared to relying on standardized, well-vetted protocol features. This potential gap in the standard represents an area requiring careful attention and potentially future protocol evolution.
Furthermore, in collaborative multi-agent systems, where agents might use MCP to exchange information or delegate tasks amongst themselves (e.g., one agent acting as an MCP Server for another), the attack surface expands dramatically. A compromise of a single agent (e.g., via prompt injection) could potentially cascade through the entire system. The compromised agent could use MCP interactions to:
- Send poisoned context or malicious data to collaborating agents.
- Issue harmful instructions, tricking other agents into misusing their own tools accessed via MCP.
This creates pathways for lateral movement and systemic compromise. Securing such systems requires not only securing individual agents and their external MCP connections but also implementing robust trust management, input validation, and potentially zero-trust principles for interactions between agents within the collective.
Mitigation Strategies and Best Practices for Securing MCP
Addressing the multifaceted security risks associated with MCP requires a defense-in-depth approach, combining secure implementation practices, robust access controls, continuous monitoring, and careful consideration of data privacy. The following mitigation strategies and best practices, synthesized from general AI/LLM security principles and applied specifically to the MCP context, are essential:
1. Secure MCP Implementation and Deployment:
Server Hardening: MCP Servers should be deployed on hardened operating systems with minimal necessary services. Dependencies should be kept up-to-date and scanned for vulnerabilities. Secure configuration management and robust logging/monitoring are essential.
Client Security: The MCP Client implementation within the Host application must be protected against tampering and ensure it correctly enforces policies received from the Host.
Secure Communication Channels: Mandate the use of strong, up-to-date TLS encryption (e.g., TLS 1.3) for all remote MCP communication over HTTP/SSE. Ensure appropriate permissions and isolation for local stdio-based communication.
2. Rigorous Input/Output Validation and Sanitization:
Treat MCP Data as Untrusted: All data received from MCP Servers (tool results, resource content) must be treated as potentially malicious user input. Apply rigorous validation and sanitization routines before parsing, interpreting, or using this data in downstream systems. This is critical to prevent injection attacks (XSS, SQLi, RCE) originating from compromised tools or servers.
Parameter Validation: MCP Servers must strictly validate the parameters received in tools/call requests against expected types, formats, ranges, and lengths before passing them to backend tools.
Context Filtering: Implement context-aware filtering mechanisms within the Host or Client to detect and potentially block malicious prompts, instructions, or sensitive data embedded within the context flowing to the LLM.
3. Robust Access Control and Authentication:
Strong Authentication: Implement strong, preferably mutual, authentication between MCP Clients and Servers to prevent spoofing and ensure only legitimate components can communicate.
Enforce Least Privilege: This is paramount for MCP.
- Hosts must grant MCP Clients the minimal set of permissions required for their function.
- Servers must expose tools with the narrowest possible scope and permissions needed to perform their task. Avoid overly broad functionalities within a single tool.
- Use MCP's built-in authorization framework, which since the March 2025 spec is based on OAuth 2.1 and, in the June 2025 revision, treats the MCP server as an OAuth resource server that must verify each token was issued for it (using Resource Indicators, RFC 8707). That check is what closes the "confused deputy" and token-passthrough holes, where a server reuses a token it was handed to call a third-party API that should never have received it.
Granular Authorization: Implement fine-grained authorization policies within the Host (and potentially enforced by Servers) to control precisely which agent/user/session can invoke which specific tool, possibly based on context or risk level.
User Confirmation for Sensitive Actions: Require explicit user confirmation before the agent executes high-impact or irreversible actions via MCP Tools (e.g., deleting data, transferring funds, sending sensitive communications).
4. Secure Tool/Plugin Design and Integration:
Server-Side Tool Vetting: MCP Server operators must carefully vet the security and reliability of the underlying tools and APIs they choose to expose via MCP.
Secure Tool Design Principles: Tools exposed via MCP should be designed defensively:
- Accept strictly parameterized inputs with strong type and range checking.
- Avoid open-ended functionalities (e.g., direct shell execution).
- Implement internal access controls and logging.
Clear Tool Documentation: Provide clear, unambiguous, and accurate descriptions and parameter schemas for tools during the MCP discovery phase. This helps the LLM use tools correctly and allows Hosts to make more informed policy decisions. Consider "Poka-yoke" design principles to make misuse harder.
5. Comprehensive Monitoring, Logging, and Auditing:
Implement detailed logging across the Host, Client, and Server components, capturing MCP requests, responses, errors, authentication events, and authorization decisions.
Monitor logs and system behavior for anomalies, potential DoS patterns, repeated failed access attempts, or suspicious tool invocations.
Establish clear audit trails for actions performed via MCP.
6. Rate Limiting and Resource Management:
Implement robust rate limiting at the MCP Server level, applied per client, user, or IP address, to mitigate DoS attacks and prevent resource exhaustion.
Monitor resource consumption (CPU, memory, network) of MCP components and underlying tools.
7. Data Minimization and Protection:
Adhere to the principle of data minimization: only collect, process, and transmit sensitive data via MCP if strictly necessary for the task.
Employ data protection techniques like encryption in transit (TLS) and at rest (for cached context or logs).
Utilize data anonymization, pseudonymization, or specialized encryption techniques like Format-Preserving Encryption (FPE) where feasible to allow processing while reducing disclosure risk.
Implement robust data sanitization and scrubbing routines to prevent sensitive information from leaking into LLM outputs or logs.
8. Leverage Standardization for Governance:
Utilize the standardized nature of MCP to apply consistent security policies, monitoring, and governance controls across diverse tool integrations.
Develop and adhere to secure coding guidelines and reference implementations for building MCP Clients and Servers within the organization.
9. Maintain Human Oversight:
Avoid complete overreliance on autonomous agent actions. Integrate human review and approval steps (human-in-the-loop) for critical, sensitive, or potentially irreversible operations initiated via MCP.
10. Secure Supply Chain Practices:
Thoroughly vet all third-party components, including MCP Server implementations, libraries, pre-trained models used by the agent, and the external tools/APIs integrated via MCP.
Utilize tools like ML-BOMs to track dependencies and vulnerabilities.
It is crucial to recognize that effective MCP security extends far beyond the protocol specification itself. While MCP provides the communication structure, the actual security posture hinges heavily on the diligence and security consciousness applied during the implementation and configuration of the Host, Client, and Server components. The protocol standardizes how they talk, but security depends on what they say, who they talk to, and how securely they are built and operated. This underscores the need for comprehensive security guidelines, best practices documentation, and potentially conformance testing frameworks to accompany the MCP standard.
Furthermore, a fundamental tension exists between MCP's goal of enabling dynamic, flexible tool discovery and use and core security principles like least privilege and pre-authorization. Mitigating risks such as Excessive Agency or the exploitation of the discovery mechanism might necessitate controls that inherently limit this dynamism, for example, restricting connections to only pre-approved MCP servers, requiring manual user approval before using newly discovered tools, or implementing very strict Host policies. Organizations deploying MCP must therefore make conscious architectural and policy decisions to balance the desired level of agent autonomy and operational flexibility against the non-negotiable requirements of security and data protection, implementing mechanisms that effectively manage this inherent trade-off.
The following table maps key mitigation strategies to the MCP-specific risks identified earlier:
Table 3: Mitigation Strategies Mapped to MCP Risks
| MCP Risk/Attack Vector (from Table 2) | Key Mitigation Strategy(ies) | Responsible Component(s) | Relevant Best Practice Principle(s) |
|---|---|---|---|
| Context Manipulation/Poisoning | Input/Output Validation & Sanitization (at Client/Host), Secure Tool Design (at Server) | Client, Host, Server | Input Validation, Secure Defaults |
| Unauthorized Context/Tool Access | Strong Authentication, Granular Authorization (Least Privilege), Session Management | Host, Client, Server | Least Privilege, Zero Trust, Secure Authentication/Authorization |
| DoS on MCP Infrastructure | Rate Limiting, Resource Monitoring, Input Validation (for malformed requests) | Server, Host, Infrastructure | Resource Management, Input Validation |
| Discovery Mechanism Exploitation | Server Vetting Policies (at Host), Client-Side Trust Policies, Strong Server Authentication | Host, Client | Secure Supply Chain, Authentication, Policy Enforcement |
| Attacks via MCP Tools (Passthrough) | Secure Tool Design, Server-Side Input Validation, Least Privilege (Tool Scope) | Server, Underlying Tool/API | Secure Coding, Input Validation, Least Privilege |
| Communication Channel Attacks | Enforce TLS/Encryption, Secure stdio Permissions | Infrastructure, Client, Server | Secure Communication, Defense in Depth |
| Identity Spoofing | Strong Mutual Authentication | Client, Server | Secure Authentication |
| General Privacy Risks | Data Minimization, Encryption (Transit/Rest), Anonymization/FPE, Output Scrubbing | Host, Client, Server, Underlying Tool/API | Data Minimization, Privacy by Design, Secure Data Handling |
| Multi-Agent/Session Risks | Strict Context Isolation Mechanisms, Scalable Permission Management, Resource Quotas | Host (primary), Server | Secure Multi-Tenancy, Least Privilege, Resource Management, Isolation |
Research Landscape and Documented Evidence
Understanding the security posture of MCP also involves examining the broader research landscape concerning AI agent security and seeking documented evidence of specific vulnerabilities or incidents related to MCP itself.
Current AI Agent Security Research:
Recent academic research, particularly surveys and analyses often found in preprints on platforms like ArXiv, highlights a growing awareness of the unique security challenges posed by increasingly autonomous AI agents. Key themes and identified knowledge gaps emerging from this research include:
Unpredictability of Multi-Step User Inputs: Agents must often handle complex, sequential interactions, making it difficult to anticipate all possible user behaviors and inputs, which can lead to unpredictable agent responses and vulnerabilities to manipulation.
Complexity in Internal Executions: The internal processes of agents, involving planning, reasoning, memory access, and tool invocation (potentially via MCP), are often complex and opaque. This makes auditing internal states, detecting flaws, and ensuring secure execution challenging.
Variability of Operational Environments: Agents may operate across diverse environments (local machines, cloud servers, browsers), each with different security characteristics. Ensuring consistent and secure behavior across these variable environments is difficult. Web-based AI agents, for instance, have been shown to exhibit significantly higher vulnerability rates compared to standalone LLMs due to their integration with browsers and ability to interact with web elements.
Interactions with Untrusted External Entities: Agents frequently need to interact with external tools, APIs, and data sources (the core function facilitated by MCP). These external entities may be untrusted or contain vulnerabilities, creating significant risks related to data integrity, confidentiality, and agent control. Research specifically flags the risks associated with agents having direct database access.
Session Management and Data Handling: Securely managing user sessions, maintaining context isolation, and protecting sensitive data (especially during fine-tuning or when using techniques like Format-Preserving Encryption) are identified as critical security requirements for stateful agent interactions.
This body of research underscores that the security concerns analyzed in this report regarding MCP are not merely theoretical constructs specific to one protocol. Instead, they align closely with systemic challenges recognized across the broader field of AI agent security. Issues like securing external interactions, managing internal complexity, and protecting data flow are fundamental problems that protocols like MCP aim to address but also inherit.
Applicability of Existing Security Frameworks:
Established security frameworks provide valuable starting points for assessing MCP and AI agent security. The OWASP Top 10 for LLM Applications is highly relevant, covering many core risks as discussed in Section III. Threat modeling methodologies like STRIDE (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege) can also be applied to identify potential threats within the MCP architecture.
However, research suggests these existing frameworks may require adaptation or extension to fully capture the nuances of AI agents and protocols like MCP. For example, STRIDE may lack specific categories for AI-unique threats like adversarial machine learning (evasion attacks), data poisoning, or model extraction, and it might struggle to model the dynamic, autonomous behaviors and complex interactions inherent in agentic systems. Frameworks focused narrowly on privacy, like LINDDUN, miss other critical security threats. Therefore, while leveraging existing frameworks is beneficial, a comprehensive security assessment must also consider the specific characteristics of AI agents and the MCP protocol.
Documented MCP Security Incidents:
By mid-2026 the "no public incidents" caveat that held when MCP launched no longer applies. Real, disclosed vulnerabilities now map directly onto the theoretical vectors described above.
Tool poisoning. In April 2025 Invariant Labs demonstrated tool poisoning attacks, where a malicious MCP server hides instructions inside a tool's description, text the model reads but the user usually never sees. The agent follows the hidden instructions, so a benign-looking tool can exfiltrate files or SSH keys. That is the discovery-mechanism and context-poisoning vectors made concrete.
Rug pulls and line jumping. Follow-on research showed a server can present a safe tool definition at approval time and silently change it later (a "rug pull"), and that a tool description alone can inject instructions into the model's context before any tool is ever called ("line jumping"). Both defeat one-time, install-time review.
Remote code execution in the tooling. Two critical CVEs hit widely used MCP components. CVE-2025-49596, disclosed by Oligo in mid-2025, is an RCE in Anthropic's own MCP Inspector debugging tool (CVSS 9.4): the proxy accepted stdio commands from the browser without authentication, and DNS rebinding let any website reach the localhost instance and run code on the developer's machine. It was fixed in Inspector 0.14.1. CVE-2025-6514, found by JFrog, is an OS command-injection RCE (CVSS 9.6) in mcp-remote, a connector downloaded more than 437,000 times and used by Claude Desktop, Cursor, and Windsurf; a malicious server returned a crafted OAuth authorization_endpoint that mcp-remote passed to a shell. It was fixed in 0.1.16.
None of these are exotic. They are the standard-issue failures, missing authentication, unsanitized input passed to a shell, over-trusted third-party servers, that this report warns about, now landing in a protocol whose whole job is to hand external code influence over an agent. The right posture is a proactive one built on risk analysis and the mitigations below, not waiting for the next disclosure.
Conclusion and Recommendations
Model Context Protocol (MCP) represents a significant effort to standardize and simplify the way AI agents interact with external tools, data, and services. By providing a common interface, it aims to overcome the complexity of custom integrations and enable more capable, context-aware AI applications. However, this standardization, coupled with the inherent complexities of AI agents and context management, introduces a unique set of security challenges that demand careful consideration.
Summary of Key Risks:
This analysis has identified several critical security considerations associated with MCP:
New Attack Surfaces: MCP's architecture (Host, Client, Server) and core functions (discovery, invocation, context exchange) create new surfaces vulnerable to attacks like context manipulation, unauthorized access, DoS, and exploitation of the discovery mechanism.
Manifestation of General AI Risks: Common LLM vulnerabilities, as categorized by OWASP Top 10 for LLMs, find specific expression within the MCP framework. Risks like prompt injection, insecure output handling, data poisoning, excessive agency, and supply chain vulnerabilities are directly relevant and potentially amplified by MCP's role in enabling action and data flow.
Data Privacy and Confidentiality: MCP acts as a conduit for potentially sensitive data, increasing the risk of exposure through LLM leakage, component compromise, insecure tool handling, or unauthorized access. Write operations enabled by MCP introduce additional data integrity and privacy risks.
Complexity at Scale: Using MCP in multi-agent or multi-session scenarios introduces significant challenges in maintaining context isolation, managing permissions dynamically, and preventing resource contention, potentially exceeding the explicit provisions of the current protocol specification.
High-Level Recommendations:
Securing MCP deployments requires a holistic, defense-in-depth strategy encompassing technology, process, and governance. Key recommendations include:
Adopt a Zero-Trust Architecture: Assume no implicit trust between MCP components (Host, Client, Server) or between the agent and the tools it accesses. Verify explicitly at each step, enforce strict authentication, and apply the principle of least privilege rigorously across all interactions.
Prioritize Secure Implementation: Security depends critically on the quality of MCP component implementations. Adhere to secure coding practices, harden deployment environments, validate all inputs and outputs meticulously, and ensure communication channels are robustly encrypted.
Develop Robust Permission and Policy Models: Implement fine-grained, potentially dynamic access control mechanisms to govern which agents/users can access which MCP servers and tools under specific conditions. Policies should be clearly defined, consistently enforced (primarily by the Host), and regularly audited.
Implement Comprehensive Data Protection: Treat data privacy as a core security requirement. Minimize the flow of sensitive data through MCP, employ encryption (in transit and at rest), utilize anonymization or specialized techniques like FPE where appropriate, and implement output scrubbing to prevent leaks.
Invest in Continuous Monitoring and Auditing: Maintain high visibility into MCP interactions through comprehensive logging and real-time monitoring. Analyze logs for anomalies, security events, and policy violations to enable rapid detection and response.
Exercise Caution with Agent Autonomy: Carefully balance the benefits of increased agent autonomy enabled by MCP against the associated security risks. Implement human-in-the-loop controls for critical, sensitive, or irreversible actions, and avoid overreliance on agent decisions.
Future Research Directions:
While MCP is a promising development, further research and standardization efforts are needed to enhance its security posture. Potential areas include:
- Developing standardized security extensions for MCP to address gaps like fine-grained dynamic permissions, multi-tenant context isolation, and secure inter-agent communication protocols.
- Creating formal methods and tools for verifying the security properties of MCP Client and Server implementations.
- Developing specialized security testing tools and methodologies tailored to identify vulnerabilities in MCP deployments.
- Conducting empirical studies and publishing case studies on the security of real-world MCP implementations to share lessons learned and best practices.
In conclusion, MCP offers a valuable framework for enhancing AI agent capabilities but is not an inherent security solution. It standardizes interaction pathways, which can be beneficial for governance but also creates concentrated points of risk. Secure adoption necessitates a proactive, security-first mindset, treating MCP components and interactions as critical infrastructure requiring careful design, robust implementation, continuous monitoring, and diligent governance. By understanding the risks outlined in this report and implementing the recommended mitigation strategies, organizations can secure the AI agents they deploy before MCP's attack surface is turned against them.
Get the newsletter
New writing on identity, AI security, and building software, delivered when it ships. No tracking pixels, no funnels, unsubscribe with one click.