Top MCP security resources — July 2026

MCP Security + MCP Security Digest Sergey todayJuly 6, 2026

Background
share close

The Model Context Protocol (MCP) rapidly became a widely adopted enterprise standard, opening a massive new attack surface. July highlighted the severe risks of this architecture, punctuated by the NSA’s release of official MCP hardening guidelines and the discovery of critical auto-execution vulnerabilities in tools like Amazon Q. As AI agents seamlessly pull contexts from third-party services, attackers are actively weaponizing these pathways via threshold poisoning and fake diagnostic events, proving that context providers can no longer be blindly trusted.

Statistics

Total resources: 10
Category breakdown:

Category Count
MCP vulnerability 2
Attack technique 3
CISO resources on MCP 1
MCP red teaming 1
MCP defense 1
Threat modelling 1
MCP incident 1

MCP security resources:

MCP vulnerability

What happens locally leaks globally: Detecting privacy leakage risks in MCP servers

The MCPPrivacyDetector framework uses cross-language static and taint analysis to expose severe protocol-induced privacy leakage in MCP tool handlers. After analyzing over 10,000 real-world servers, researchers found that credentials, API keys, and PII leak at alarming rates exceeding 10%.

MCP auto-execution: From Git clone to cloud compromise in Amazon Q VS Code extension

A critical CVSS 8.5 vulnerability where Amazon Q auto-loaded MCP configs directly from workspace directories without user consent. Opening a malicious repository allowed attackers to instantly execute code and exfiltrate AWS credentials before the flaw was patched in June 2026.
An additional flaw in Amazon Q Developer caused directly by the implicit trust of MCP tool output. This vulnerability demonstrates how easily an AI agent can be compromised when it blindly accepts MCP-returned content as executable instructions.

Attack technique

WebMCP tool surface poisoning: Runtime manipulation attacks on LLM agents

Attackers are leveraging Mid-Session Tool Injection (MSTI) to hijack the tools a WebMCP agent utilizes during active sessions. By using third-party scripts for AbortSignal hijacking and registration races, this runtime manipulation achieves exceptionally high attack success rates.

ShareLock: A stealthy multi-tool threshold poisoning attack against MCP

ShareLock introduces a sophisticated method of multi-tool poisoning that uses Shamir’s threshold secret-sharing logic. It splits malicious instructions across multiple benign-looking MCP tool descriptions, effectively evading automated detection while sustaining over 90% attack success.

Agentjacking: Hijacking AI coding agents via MCP + Sentry

Tenet Security discovered that attackers can inject fake Sentry error events through a public DSN, which the Sentry MCP server then blindly returns as trusted diagnostics. This allows attackers to achieve an 85% success rate when tricking coding agents into executing arbitrary commands across thousands of vulnerable organizations.

CISO resources on MCP

Model Context Protocol (MCP): Security design considerations for AI-driven automation

This NSA Cybersecurity Information Sheet offers an essential baseline for securing MCP deployments in the enterprise. It details structural risks like the inverted client-server pattern, unverified task propagation, and severe arbitrary-code-execution exposure.

MCP red teaming

Securing the AI agent: A unified framework for multi-layer agent red teaming

Tencent Zhuque Lab released AI-Infra-Guard, an open-source multi-layer red-teaming framework designed specifically for agent architectures. It provides structured methodologies for the LLM-driven auditing of MCP servers and agent-skill packages.

MCP defense

Securing AI agents: When AI tools move from reading to acting

Microsoft Incident Response researchers demonstrated a severe MCP tool-poisoning attack chain against a Copilot Studio finance agent. They successfully mapped existing Microsoft security controls, like Prompt Shields and Entra Agent ID, to effectively mitigate each stage of the kill chain.

Threat modelling

New MCP specification: Why security teams must prepare now

Akamai analyzes the security implications embedded within the new MCP specification changes. The research models the expanding threat surface that enterprise security teams must immediately address as widespread adoption accelerates.

MCP incident

Securing AI agents: As AI tools move from reading to acting

Microsoft documents a highly effective tool-poisoning and description-injection attack pattern recently observed in the wild. This production enterprise agent exploit successfully targeted fintech MCP servers, prompting the release of a detailed defensive playbook.

Stop implicitly trusting context providers

The vulnerabilities exposed this month prove that the Model Context Protocol is rapidly becoming a primary vector for AI agent hijacking. Security teams can no longer afford to treat MCP servers as inherently trusted internal utilities. You must enforce strict output validation on all MCP responses, mandate explicit user consent for loading workspace configurations, and implement rigid zero-trust boundary checks between agents and context providers to prevent catastrophic code execution and data leaks.

Written by: Sergey

Rate it
Previous post

Similar posts