Observed in 1 unique occurrence across the ecosystem.
Top 12 Security Issues in Model Context Protocol (MCP) and How to Fix Them
Why MCP Security Issues Are Growing — and Why You Should Care
The Model Context Protocol (MCP) is rapidly emerging as the backbone of autonomous agent communication—akin to what TCP/IP is for the internet. But with its rising adoption comes a growing wave of exploits. As researchers and attackers alike publish new vulnerabilities, it’s critical to understand the full scope of MCP Security Issues affecting today’s systems.
This article compiles the 12 most critical MCP security issues, explains what makes each one unique, and provides direct links to every documented real-world example—including blog posts, advisories, proof-of-concept (PoC) code, and research papers.
Research Methodology Behind MCP Security Issues
We analyzed 40 verified sources—including research publications, vendor blogs, and independent hacker write-ups. Using a structured 5W-1H analysis (Who, What, When, Where, Why, and How), we eliminated duplicates and kept only MCP Security Issues with unique root causes and technical depth. Each flaw was validated with concrete evidence, such as PoC code or detailed exploit descriptions.
Below is the final, de-duplicated catalogue of the top security vulnerabilities in the Model Context Protocol (MCP). Each entry was rigorously reviewed from first principles, validated against fresh sources, and filtered through a 5W-1H matrix to ensure it represents a unique, root-cause flaw.
12 Root-Cause MCP Security Issues You Need to Know
| 5W-1H lens |
Question we ask for every candidate weakness |
Result we keep only if unique |
| Why | What attacker objective does this enable? |
If two issues serve the same objective and arise from the same root cause, we collapse them. |
| What | What root-cause flaw makes it possible? |
This is the category key in the final list – must be one per row. |
| Who | Which actor must be malicious or compromised? |
Confirms we’re not just renaming insider vs outsider variants of the same bug. |
| When | At which protocol phase does the exploit occur? |
Installation, tools/list, invocation, runtime… Overlap here does not merge rows if the root cause differs. |
| Where | Which MCP component or surface is hit? |
Verifies we’re not describing the same flaw on different hosts. |
| How | Concrete mechanism or payload? |
Used only for examples, never for row names. |
All overlapping issues that failed the uniqueness criteria—such as “line-jumping,” “tool-poisoning,” and “resource-poisoning”—were consolidated under their root-cause category, for example: Untrusted Context Injection.
1. Untrusted Context Injection
Observed in 10 unique occurrences across the ecosystem.
Malicious content injected into any part of the context—such as tool descriptions, tool lists, memory, or external files—can trick the LLM into executing unauthorized actions. In-depth analysis: The Trail of Bits Blog — “Jumping the Line”.
Verified Sources
- Trail of Bits – Jumping the Line
- Invariant Labs – Tool Poisoning Invariant Labs
- Phala Network – MCP Not Safe phala.network
- Simon Willison – MCP Prompt Injection
- arXiv 2504.03767 – MCP Safety Audit
- Wael Saideni – Understanding MCP Security Threats (Medium)
- Chris Martorella – Multiple Cyber-Security Perils
- PromptHub – MCP Security in 2025
- Upwind – Unpacking the Security Risks… Upwind
- Pillar Security – §Prompt Injection pillar.security
(and 15 more in the appendix)
2. Mutable Tool Definitions (“Rug-Pull”)
Observed in 4 unique occurrences across the ecosystem.
An MCP server that was previously approved can later swap in malicious code or alter schemas without detection, enabling hidden attacks. Detailed example: Phala Network — “Rug Pull” section.
Verified Sources
- Phala Network – MCP Not Safe – Rug Pull section
- Chris Martorella – Fake Updates
- Invariant Labs – MCP-Scan blog
- arXiv 2504.08623 – Enterprise-Grade Security for MCP
3. Ambiguous Tool Identity (Shadowing / Typosquatting)
Observed in 4 unique occurrences across the ecosystem.
Due to the MCP specification using only the <code>name</code> field for identification, attackers can hijack calls by registering duplicate or lookalike tool names. Deep dive: HiddenLayer — Tool Name Typosquatting.
Verified Sources
- HiddenLayer – Typosquatting
- Phala – Cross-Server Shadowing
- Upwind – Name-collision note
- GitHub puliczek/awesome-mcp-security – Shadowing examples
4. Insufficient Endpoint Authentication and Data Integrity
Observed in 3 unique occurrences across the ecosystem.
Many MCP servers expose unauthenticated HTTP endpoints or skip essential protections like TLS encryption and payload signing. This allows attackers to spoof responses or launch man-in-the-middle (MITM) attacks. Detailed reference: Upwind — Unpacking the Security Risks.
Verified Sources
- Upwind – Unpacking…
- Palo Alto Networks – MCP Security Exposed
- Windows Blog – Securing the Model Context Protocol…
5. Excessive Privilege Delegation
Observed in 3 unique occurrences across the ecosystem.
MCP servers frequently request overly broad OAuth scopes (e.g., ../.), which grant them access far beyond what’s needed. If such a server is compromised, attackers can inherit full-tenant data access and control. Detailed reference: Pillar Security — Excessive Permission Scope.
Verified Sources
- Pillar Security – Security Risks of MCP
- Upwind – Shadow Access subsection
- Chris Martorella – Privilege-leak example
6. Credential Leakage and Token Reuse
Observed in 3 unique occurrences across the ecosystem.
Tokens stored in plain text or exposed through logging can be stolen and reused by attackers to launch rogue MCP servers that impersonate legitimate ones. Detailed reference: Pillar Security — Token Theft.
Verified Sources
- Pillar Security – Token Theft
- Phala – Token Theft scenario
- Blog.sshh.io – Everything Wrong with MCP
7. Unisolated Execution Surface (Remote Code Execution)
Observed in 2 unique occurrences across the ecosystem.
Servers relying on stdio, shell passthrough, or vulnerable to path traversal can expose the MCP host to arbitrary code execution, enabling full system compromise. Detailed reference: Upwind — RCE Call-Out.
Verified Sources
- Shrivu Shankar – Everything Wrong with MCP
- Cato Networks – CATO-CTRL exploit
8. Supply-Chain Compromise
Observed in 2 unique occurrences across the ecosystem.
Unverified container images and third-party packages can introduce backdoored MCP binaries during the build or deployment process. Detailed reference: Upwind — Supply-Chain Risk.
Verified Sources
- Upwind – Supply-Chain section
- Azure blog – Building Safer Agentic Futures
9. Observability Blind Spot
Observed in 2 unique occurrences across the ecosystem.
Without immutable logging in place, it’s impossible to verify or refute what actions an MCP server performed after an incident occurs. Detailed reference: Upwind — Visibility & Observability.
Verified Sources
- Upwind – Visibility gap
- Wael Saideni – Monitoring recommendations
10. Availability Exhaustion (Denial of Service)
Observed in 2 unique occurrences across the ecosystem.
Excessive or recursive tool calls, along with oversized context payloads, can exceed token limits and consume CPU, resulting in denial-of-service. Detailed reference: arXiv 2504.08623 — DoS Case Study (Phala Network).
Verified Sources
- arXiv 2504.08623 – Section 5
- PromptHub – DoS bullet
11. Multi-Agent Workflow Hijack (A2A Relay)
Observed in 2 unique occurrences across the ecosystem.
Crafted prompts can hijack multi-agent workflows by redirecting tool calls through compromised or rogue agents, taking control of the agent swarm. Detailed reference: ForAISec — Protocol Hijack Analysis (Medium).
Verified Sources
- ForAISec – Agent Hijacking via MCP & A2A
- BecomingAHacker – Comparative study of MCP vs A2A
12. Protocol Implementation Divergence
Differences in MCP parser implementations can lead to inconsistent behavior — a payload rejected by one implementation might be accepted and executed by another. Detailed reference: arXiv 2504.03767 — Parser Quirks (Trail of Bits Blog).
Verified Sources
- arXiv 2504.03767 – §Parser Divergence
Why These 12 MCP Issues Are Mutually Exclusive
Each of the 12 documented vulnerabilities targets a distinct root cause. Here’s why they do not overlap.
-
Root-cause precision. Every row in the catalogue identifies a unique technical flaw. If two issues differ only by payload location (e.g., prompt vs. tool description), they were merged into a single category like Untrusted Context Injection.
-
No hierarchical overlap. One issue (e.g., Rug-Pull) may enable another (e.g., Context Injection), but they remain distinct because they represent separate root-cause defects.
-
Separate mitigation paths. Fixing endpoint authentication (#4) won’t prevent Rug-Pulls (#2) or Privilege Delegation (#5), highlighting the need for isolated, targeted defenses.
How to Use the MCP Security Issues Catalogue Effectively
This table helps defenders understand where and when different issues apply — and who the primary threat actor is in each case.
| Phase (“When”) |
Surface (“Where”) |
Relevant rows | Primary “Who” threat actor |
| Build time | Container images & dependencies |
8 | Malicious package maintainer |
| Deployment | MCP server config & auth |
4, 6 | Cloud attacker or insider |
| First Run | Tool fetch (tools/list) |
1, 2, 3 | Rogue MCP server |
| Runtime | Agent loops & cross-agent calls |
1, 7, 10, 11, 12 | External attacker or compromised agent |
Key Takeaways for Defenders Dealing with MCP Security Issues
-
Treat all context as untrusted input (#1).
Any mitigation is fragile if your LLM still executes uncontrolled text. -
Pin and sign all tool definitions (#2, #3).
Immutable manifests prevent Rug-Pulls and identity spoofing. -
Enforce mutual TLS and strong auth (#4, #6).
Make unauthorized or spoofed servers impossible to reach. -
Limit token privileges (#5).
Use least-privilege scopes; one overbroad token can grant full access. -
Implement tamper-proof logs (#9).
To investigate or contain incidents, you’ll need a verifiable audit trail.
These issues are not theoretical — they are already being exploited in the wild. Security teams must proactively test, validate, and harden their agentic AI systems before deployment. If you’re working with LLMs, toolchains, or autonomous workflows, now is the time to operationalize secure-by-design principles.
Adversa AI helps organizations red-team their AI systems, uncover hidden vulnerabilities, and build defenses that last. Get in touch to learn how we can help secure your agent stack — before attackers do.
Subscribe for updates
Stay up to date with what is happening! Get a first look at news, noteworthy research and worst attacks on AI delivered right in your inbox.
Appendix: 40 Trusted Sources on MCP Security Issues
This appendix includes 40 verified URLs that document real-world MCP Security Issues, research papers, exploit demos, and security analyses across trusted sources. Use it to explore deeper technical insights behind each issue described in the catalogue.
- The Trail of Bits Blog, Jumping the line: How MCP servers can attack you before you ever use them
- InvariantsLabs, MCP Security Notification: Tool Poisoning Attacks
- PLAHA, MCP Not Safe — Reasons and Ideas
- Simon Willison’s Weblog, Model Context Protocol has prompt injection security problems
- Arxiv.org, MCP Safety Audit: LLMs with the Model Context Protocol Allow Major Security Exploits
- Medium, Understanding MCP Security Threats and Mitigations: A Layered Approach
- Christian Martorella, Model Context Protocol (MCP) aka Multiple Cybersecurity Perils
- PromptHub, MCP Security in 2025
- HiddenLayer, MCP: Model Context Pitfalls in an Agentic World
- UpWind, Unpacking the Security Risks of Model Context Protocol (MCP) Servers
- Pillar, The Security Risks of Model Context Protocol (MCP)
- Medium, Security Analysis: Potential AI Agent Hijacking via MCP and A2A Protocol Insights
- Awesome MCP Security
- William OGOU Cybersecurity Blog, MCP Security (Part 2)
- Hackernoon, MCP Is a Security – Here’s How the Agent Security Framework Fixes It
- Analytics Vidhya, 6 Major Vulnerabilities of MCP
- Medium, The “S” in MCP Stands for Security
- Written Engineering, Model Context Protocol (MCP) security
- Medium, MCP Is a Security Nightmare — Here’s How the Agent Security Framework Fixes It
- Nccgroup, 5 MCP Security Tips
- Medium, Security 101: Model Context Protocol
- Medium, Comparing MCP, A2A, and AGNTCY in the AI Agent Ecosystem
- Shrivu’s Blog, Everything Wrong with MCP
- Embrace The Red, MCP: Untrusted Servers and Confused Clients, Plus a Sneaky Exploit
- Windows Blogs, Securing the Model Context Protocol: Building a safer Agentic future on Windows
- Palo Alto Networks, MCP Security Exposed: What You Need to Know Now
- OWASP GenAI, Securing AI’s New Frontier: The Power of Open Collaboration on MCP Security
- GitGuardian, A Look Into the Secrets of MCP: The New Secret Leak Source
- InvariantsLabs, GitHub MCP Exploited: Accessing private repositories via MCP
- Cato Nerworks, Threat Research: Exploiting Model Context Protocol (MCP) – Demonstrating Risks and Mitigating GenAI Threats
- Simon Willison’s Weblog, Model Context Protocol has prompt injection security problems
- Beincrypto, New Vulnerability Threatens Crypto Wallets: How Hackers Can Steal Your Assets
-
The Trail of Bits Blog, How MCP servers can steal your conversation history
-
Bernard IQ, MCP Resource Poisoning Prompt Injection Attacks
-
Ibeurerkellner, MCP Tool Poisoning Experiments
-
The Trail of Bits Blog, MCP Category
-
InvariantsLabs, Introducing MCP-Scan: Protecting MCP with Invariant
Previous post
insert_link
share
close
Towards Secure AI Week 21 — From Reactive Defense to Capability-Aware AI Red Teaming
AI systems are no longer just responding to prompts — they’re acting, adapting, and making decisions. This week’s stories reveal how traditional security tools like SIEM, firewalls, and EDR fail ...
