The Model Context Protocol has become the connective tissue of enterprise AI deployments. Within 13 months of Anthropic introducing MCP in November 2024, adoption reached 17,000+ indexed servers and 150+ million package downloads. With that scale came a new class of vulnerabilities that traditional security tooling was never designed to detect.
MCP security is not a theoretical concern. In 2025 alone, attackers used MCP flaws to leak private GitHub repository contents into public pull requests, intercept email from 1,500 weekly users of a popular package, and compromise 3,000+ hosted servers through a single Docker configuration flaw. This guide covers the attack surface, confirmed CVEs, real incidents, and the enterprise controls that actually reduce risk.
Key Takeaways
- The STDIO transport architecture contains a design-level flaw: OS commands execute even when the MCP server fails to start. Approximately 200,000 servers are exposed. Anthropic classified this as expected behavior.
- Tool poisoning embeds attacker instructions in tool descriptions, invisible to users but fully readable by the AI model. This has been used to exfiltrate SSH keys, API tokens, and private repository data.
- 53% of MCP servers use static API keys or long-lived personal access tokens. Only 8.5% implement OAuth.
- Tool shadowing allows a single malicious MCP server to poison the agent's behavior toward all other connected servers, without the malicious tool ever being called.
- The OWASP MCP Top 10 is now a recognized project and the emerging compliance framework for MCP deployments.
- Only 14% of organizations running agents in production have runtime guardrails in place (Lakera 2025 GenAI Security Readiness Report).
The Architecture Creates the Risk
MCP uses a client-host-server model with three transport mechanisms: STDIO (local process), Server-Sent Events over HTTP, and WebSockets. The host manages connections between the AI client and one or more MCP servers. Each server exposes tools, resources, and prompt templates.
The protocol introduces a trust boundary that most security teams have not yet mapped. The AI model reads tool descriptions it cannot independently verify. Those descriptions are treated as directives. When multiple MCP servers are connected simultaneously, they share a context window, meaning content from one server influences how the model interprets all others.
Anthropic's own specification states that tools "represent arbitrary code execution and must be treated with appropriate caution" and that "tool descriptions should be considered untrusted unless obtained from a trusted server." In practice, most enterprise deployments do not enforce this.
OWASP MCP Top 10: The Threat Landscape
The OWASP MCP Top 10 is the emerging standard for categorizing MCP-specific risks. Understanding it is essential for any enterprise deploying AI agents.
MCP01: Token Mismanagement and Secret Exposure. MCP servers require credentials to operate in 88% of implementations. Astrix Security found that 53% rely on static API keys or personal access tokens passed through environment variables. These long-lived credentials are a primary target for supply chain and tool-poisoning attacks.
MCP03: Tool Poisoning. The highest-impact attack class. Malicious instructions are embedded in tool metadata, including descriptions, parameter names, and annotations. The UI layer typically shows users a truncated tool name. The AI model reads the full schema. Invariant Labs demonstrated this with a bogus math tool that exfiltrated SSH private keys while displaying a normal arithmetic result.
MCP04: Software Supply Chain Attacks. Attackers publish malicious MCP packages or compromise legitimate ones. Nine of eleven MCP marketplaces tested by OX Security researchers were successfully poisoned with malicious server definitions. The mcp-remote npm package (CVE-2025-6514) received 437,000+ downloads before a critical CVSS 9.6 OS command injection was disclosed.
MCP06: Intent Flow Subversion. Attackers redirect what the agent is trying to accomplish. This does not require code execution. Embedding conflicting objectives in tool descriptions or injected context is sufficient. The GitHub incident in May 2025 demonstrated this at scale: a malicious public issue redirected an AI assistant to exfiltrate private repository contents into a publicly readable pull request.
MCP09: Shadow MCP Servers. Employees connect unauthorized MCP servers to enterprise AI tools outside IT visibility. These servers may be poorly secured, operated by unknown third parties, or actively malicious. Without an inventory control mechanism, shadow MCP servers are undetectable until an incident occurs.
MCP10: Context Injection and Over-Sharing. Shared context windows can leak information between tasks, users, or agents. The Asana cross-tenant breach in June 2025 demonstrated this: a logic flaw in MCP access controls caused one organization's projects and sensitive objects to appear in other customers' MCP instances.
Confirmed CVEs and Real Incidents
The vulnerability database at VulnerableMCP.info currently tracks 50 known vulnerabilities, 13 classified as critical. A representative set of confirmed CVEs:
| CVE | CVSS | Vulnerability | |-----|------|---------------| | CVE-2025-6514 | 9.6 | mcp-remote proxy OS command injection via OAuth flow | | CVE-2026-23744 | 9.8 | MCPJam Inspector unauthenticated RCE on 0.0.0.0 | | CVE-2026-0755 | 9.8 | gemini-mcp-tool command injection | | CVE-2025-65513 | 9.3 | Fetch MCP Server SSRF via private IP validation bypass | | CVE-2025-68145 | Critical | Anthropic mcp-server-git chain enabling RCE via malicious .git/config | | CVE-2025-53967 | High | Figma MCP Server RCE via unsanitized curl fallback | | CVE-2025-53355 | High | Kubernetes MCP execSync command injection |
The incident timeline from 2025 through early 2026 shows this is not a theoretical risk:
April 2025: Tool poisoning proof-of-concept combines a malicious MCP server with the legitimate whatsapp-mcp server. The attacker's tool shadow causes the WhatsApp server to forward hundreds of messages to an attacker-controlled number. No code execution required.
May 2025: A malicious public GitHub issue hijacks an AI assistant with MCP GitHub integration. The assistant exfiltrates private repository code, financial data, and project details into a public pull request. This is a textbook indirect prompt injection via MCP.
July 2025: The mcp-remote npm package is found to pass OAuth authorization endpoint URLs directly to the system shell via PowerShell's subexpression evaluation. The package has 437,000 downloads. Cloudflare, Hugging Face, and Auth0 integrations are affected.
September 2025: Researchers identify a fake Postmark MCP server with 1,500 weekly downloads. It silently BCC's all outgoing emails to an attacker-controlled address. Users see normal email behavior.
October 2025: A path-traversal bug in Smithery's Docker build configuration exposes the builder's home directory. Stolen Fly.io API tokens compromise 3,000+ hosted MCP servers.
April 2026: OX Security discloses a systemic STDIO architectural vulnerability. The OS command that launches an MCP server executes regardless of whether the server starts successfully. Passing a malicious command as the server binary results in execution at installation time, with no further user interaction. OX estimates 200,000 servers at risk. Anthropic classifies this as "expected behavior" and declines to modify the protocol.
The STDIO Architectural Problem
The STDIO transport flaw deserves specific treatment because it is architectural, not a bug in a single package.
When a host application launches an MCP server over STDIO, it executes an OS command. The architecture assumes that command represents a legitimate server binary. There is no verification step before execution. If a malicious command is supplied as the server path, it runs immediately.
OX Security identified four sub-types: unauthenticated command injection, hardening bypasses using allowed arguments such as npx -c , zero-click prompt injection across IDEs including Cursor and Claude Code, and malicious marketplace attacks that poison MCP server definitions before installation.
The practical implication: connecting to an untrusted MCP server definition, or installing a package that specifies a malicious server path, can result in immediate code execution on the developer's or employee's machine. No user confirmation is required beyond the initial server connection.
This is why treating MCP server approval as a security control, rather than a configuration step, matters.
Enterprise Defense Controls
Effective MCP security requires controls across the procurement, configuration, and runtime layers.
Inventory and approval. Maintain an approved MCP server registry. Any server not on the approved list should be blocked at the host level. This prevents shadow MCP servers and supply chain substitution attacks. Pin approved servers by package hash, not version number, to detect rug pull attacks.
Authentication standards. Require OAuth 2.0 for all MCP server authentication. Static API keys passed through environment variables should be rejected in security policy. Short-lived tokens with defined scopes reduce blast radius when credentials are compromised.
Tool definition review. Treat tool descriptions as untrusted code before any server is connected. Review the full JSON schema, not the display name. Look for natural language instructions embedded in descriptions or parameter annotations. This is the primary detection surface for tool poisoning.
Runtime monitoring. Instrument the MCP host to log all tool calls, parameters, and results. Establish behavioral baselines for normal agent activity. Alert on unusual call sequences, calls to tools that were not recently used, or calls that combine file access with network transmission. Our AI security assessment covers MCP runtime monitoring design for enterprise environments.
Sandboxing and least privilege. Run MCP servers in isolated environments with minimal filesystem and network access. Servers that require only read access to specific directories should not have write access or internet connectivity. This limits the impact of tool poisoning and supply chain attacks.
Context isolation. Avoid connecting multiple MCP servers with different trust levels in the same agent session. A server with access to email and a server with access to internal databases should not share a context window unless the combined risk has been assessed.
For organizations deploying MCP at scale, a formal threat model using the STRIDE framework applied to each architectural component provides a structured baseline. Research published on arXiv (arXiv:2603.22489) applied STRIDE and DREAD across five MCP architectural components and found all seven major MCP clients exhibited "significant security issues due to insufficient static validation and parameter visibility."
What Compliance Requires Now
The NIST AI Agent Standards Initiative, launched in February 2026, is developing formal standards for agentic AI deployments. NIST SP 800-53 control overlays for AI include two agentic deployment profiles. Neither is MCP-specific yet, but the general AI agent controls apply directly.
NIST ATT&CK v5.4.0 added "Publish Poisoned AI Agent Tool" as a technique, directly acknowledging MCP-style attacks as a named threat in the adversarial framework.
For organizations subject to SOC 2, the change management and vendor risk controls apply to MCP servers immediately. Third-party MCP packages are software dependencies. They require the same supply chain scrutiny as any other dependency.
Financial services firms subject to DORA and healthcare organizations subject to HIPAA have specific data handling requirements that intersect with MCP's context sharing model. An MCP server with access to patient records and another server with internet connectivity should never share a session without explicit risk acceptance.
Our compliance resources cover how MCP deployments interact with HIPAA, SOC 2, and PCI-DSS requirements in detail.
The 14% Problem
Lakera's 2025 GenAI Security Readiness Report found that only 14% of organizations running agents in production have runtime guardrails in place. The remaining 86% are operating with no visibility into what their agents are doing with MCP tools.
This is the most actionable statistic for enterprise security teams. The technology is deployed. The incidents are real. The OWASP framework exists. The gap is implementation.
A baseline security posture for MCP requires:
None of these require novel technology. They require applying existing security disciplines to a new protocol surface.
Conclusion
MCP security has a defined threat landscape, confirmed CVEs, real incidents with documented impact, and an emerging compliance framework in the OWASP MCP Top 10. The attack surface is larger than most organizations recognize: tool poisoning, rug pulls, tool shadowing, supply chain substitution, and an architectural STDIO vulnerability affecting an estimated 200,000 servers.
The organizations best positioned to use AI agents safely are not those who deploy cautiously. They are those who deploy with instrumented controls: server inventories, OAuth authentication, tool description review, and runtime monitoring.
If your organization is deploying MCP-connected agents without a formal security assessment, start there. BeyondScale's AI security scan identifies MCP exposure and authentication gaps in your environment. Our team can also provide a full MCP threat model for enterprise deployments.
Sources: OWASP MCP Top 10, VulnerableMCP.info, NIST AI Agent Standards Initiative, Astrix State of MCP Security 2025, arXiv:2603.22489, OX Security STDIO Disclosure, Invariant Labs Tool Poisoning Research
BeyondScale Team
AI Security Team, BeyondScale Technologies
Security researcher and engineer at BeyondScale Technologies, an ISO 27001 certified AI cybersecurity firm.
Want to know your AI security posture? Run a free Securetom scan in 60 seconds.
Start Free Scan
