Trial
MCP (Model Context Protocol) servers are a rapidly growing attack surface — 66% of 1,808 scanned servers had security findings, and 30 CVEs were reported in 60 days in early 2026. The June 2025 MCP spec update added dedicated security best practices, OWASP published an MCP cheatsheet, and CoSAI identified 12 core threat categories with ~40 threats.
Key Threats
- Prompt Injection via MCP: Hidden instructions in data triggering unauthorized tool actions
- Tool Poisoning: Malicious/manipulated tool definitions passed into agent contexts (MCPTox benchmark shows this is "alarmingly common")
- Confused Deputy: Attackers exploiting MCP proxy servers to obtain authorization codes without user consent
- Token Theft: MCP servers storing auth tokens for multiple services — one breach means access to all
Real-World Incidents
- Asana AI (May 2025): Tenant isolation flaw, cross-org data contamination affecting ~1,000 enterprises
- WordPress AI Engine plugin: 100K+ sites affected by privilege escalation via MCP
- Supabase Cursor agent: Attackers embedded SQL in support tickets to exfiltrate integration tokens
Best Practices
- Authentication: mTLS, JWT, MFA, temporary scoped tokens, DPoP binding, audience limits
- Resource Indicators (RFC 8707): Tokens scoped to specific MCP servers — now required by the spec
- Per-request authorization: Re-verify each request, apply UEBA for threat detection
- Input validation & sandboxing: Filter all inputs for dangerous patterns; run local MCP servers in sandboxes
- Secrets management: Environment variables or dedicated secret managers, never hard-coded
- Zero Trust: Security policies enforced at protocol layer
Strengths
- Addresses a real and expanding attack surface
- Protocol-level security enforcement via the official spec
- Growing ecosystem of guidance (OWASP, CoSAI, Red Hat, Palo Alto)
Limitations
- Protocol is still evolving; auth was initially an afterthought
- Many MCP servers deployed without adequate security
- No mature compliance framework specific to MCP yet