Model Context Protocol is quickly moving towards the top of practical, financially damaging attack vectors on Agentic AI. This month’s research reveals significant risks like stealthy resource amplification loops, complex authentication nightmares in remote deployments, and vulnerable client setups. Fortunately, the security community is responding rapidly with standardized defense frameworks and powerful new open-source auditing tools. However, the key to our collective security is the quick adoption of those defensive measures.
Total resources: 11
Category breakdown:
| Category | Count |
|---|---|
| Threat modeling | 3 |
| Security tools | 3 |
| Research | 3 |
| MCP defense | 1 |
| MCP vulnerability | 1 |
Doyensec security researchers analyze the authentication and authorization challenges in enterprise-ready remote MCP deployments, highlighting fragmentedstandards and complex multi-actor flows. The team argues that MCP’s AuthN/AuthZ landscape represents a “nightmare” similar to historical OAuth and SAML vulnerabilities, with particular concerns surrounding the JAG extension.
This research applies established STRIDE and DREAD frameworks to conduct threat modeling of MCP implementations. It systematically analyzes vulnerabilities across the MCP Host and Client, LLM, MCP Server, External Data Stores, and Authorization Server.
A basic catalog of 10 protocol-level attack patterns specific to MCP servers. This list includes critical vectors like schema poisoning, tool poisoning, rug pulls, and cross-server shadowing.
Security teams can now practice exploiting a DVWA-style MCP server equipped with 28 tools and 38 challenges. This open-source, Docker-ready environment covers 19 distinct vulnerability categories for hands-on learning.
Because MCP servers often expose overly privileged capabilities, researchers present the mcp-sec-audit toolkit combining static and dynamic analysis. The tool achieves 100% detection on the MCPTox benchmark to help secure AI deployments.
Golf Scanner is a new open-source Go CLI designed to discover MCP server configurations across seven popular IDEs. Security teams can use it to automatically run 20 unique security checks against their local environments.
This paper demonstrates how a malicious MCP server can steer LLM agents into prolonged tool-calling chains. The attack silently inflates per-query costs by up to 658x while evading standard defenses with less than a 3% detection rate.
The TIP framework utilizes a tree-based adaptive search to craft stealthy MCP injection payloads, achieving a 95% attack success rate. The authors provide real-world demonstrations on LM Studio and VS Code using GPT-4o.
Researchers conducted the first empirical comparative security analysis across seven major MCP clients, testing four distinct tool-poisoning attack vectors. The study reveals that Cursor remains vulnerable to all four attacks.
AWS introduces standardized IAM context keys specifically designed for managed MCP servers. This update allows administrators to accurately differentiate AI agent actions from human actions across their cloud infrastructure.
A researcher publicly demonstrates three distinct MCP vulnerabilities, complete with working PoC code. The examples notably include a functional cross-tool hijacking exploit.
The emergence of automated testing utilities and detailed threat modeling frameworks leaves no excuse for running unvetted MCP integrations. Security engineering teams should incorporate such tools into their stack to detect shadow or insecure MCP servers and over-privileged capabilities before they impact production environments. Once complete, the team should shift to ongoing security testing to maintain their security posture.
Adversa AI red team found Claude Code's deny rules silently stop working after 50 subcommands. The fix exists in Anthropic's codebase. They never shipped it
