Model Context Protocol (MCP) Security Risks From Untrusted Tool Servers and Verifiability Gaps
Security researchers warned that the Model Context Protocol (MCP)—used to let AI assistants connect to local tools and enterprise SaaS data—creates a significant attack surface when organizations install or authorize MCP “servers” and tool integrations. Praetorian highlighted that locally hosted MCP servers run with the user’s privileges and can therefore execute arbitrary commands, access local files, install malware, and exfiltrate data while masquerading as legitimate productivity tooling; it also described “MCP server chaining,” where a malicious local MCP server abuses data and actions flowing through a trusted remote integration (e.g., Slack/Google Drive) without needing to compromise the official provider.
Separately, Gopher Security emphasized a trust and auditability gap in MCP deployments: standard logging for remote tool execution can be incomplete or tampered with, and organizations often cannot prove what code ran or what parameters were used inside a remote “black box” execution environment. The post described “puppet”/interception-style scenarios where an attacker could alter an MCP request (e.g., changing tool-call parameters to trigger data exfiltration or unauthorized actions) while returning plausible “success” responses, and proposed cryptographic approaches (e.g., zero-knowledge proofs) to make MCP tool execution verifiable rather than relying on mutable logs.
Timeline
May 3, 2026
OSINT Team describes poisoned MCP tool attack against OmniChat Desktop
An OSINT Team blog post outlined a prompt-injection style attack against OmniChat Desktop in which a malicious third-party MCP weather tool embeds hidden instructions in its tool description. The scenario showed how untrusted MCP metadata could trick the application into exfiltrating a user's email address through an optional request parameter during a weather query.
Apr 28, 2026
Researcher reports lateral-movement risk via production MCP server
An InfoSec Write-ups article described a security assessment of a production CMS for hedge funds that exposed administrative functionality through an MCP server accessible from AI clients such as Claude Desktop after OAuth authentication. The article characterized abuse of the MCP server for lateral movement as a critical finding, indicating real-world enterprise risk from MCP-integrated admin tooling.
Apr 20, 2026
CVE-2025-49596 disclosed affecting MCP Inspector
An InfoSec Write-ups article published on April 20, 2026 highlighted CVE-2025-49596 affecting MCP Inspector as an example of emerging MCP security weaknesses. The piece framed MCP servers as repeating early API security mistakes and emphasized threats such as tool poisoning, rug pull attacks, and confused deputy abuse.
Apr 7, 2026
CIO reports persistent real-world attacks targeting MCP servers
CIO reported that MCP servers had become targets of persistent attacks in multiple forms by early April 2026, including a cited attack case involving Cursor’s built-in browser. The article said CISOs were increasingly prioritizing MCP hardening as experts warned that poisoned tools, tampered connectors, and malicious search sources could hijack AI agent behavior.
Feb 19, 2026
Cyber Security News reports practical MCP exploitation findings
Cyber Security News summarized Praetorian's February 2026 findings that MCP servers can be exploited for arbitrary code execution, local data exfiltration, persistence, and AI response manipulation, and highlighted supply-chain risks from dynamic package installation workflows.
Feb 19, 2026
Gopher Security outlines HEAL framework for securing MCP multi-agent routing
Gopher Security described its HEAL framework for securing MCP-based multi-agent systems, emphasizing parameter-level enforcement, context-window monitoring for hidden-instruction attacks, anomaly detection, adaptive access controls, and post-quantum protections.
Feb 17, 2026
Praetorian discloses MCP server attack surface and chaining risks
Praetorian detailed how malicious local MCP servers can execute arbitrary commands with user privileges, access files, install malware, and exfiltrate data, and explained how server chaining can abuse trusted remote integrations without compromising them directly.
Feb 16, 2026
Gopher Security proposes ZK proofs for verifiable MCP tool execution
Gopher Security published a proposal to address MCP's trust gap by having tools return zero-knowledge proofs alongside outputs, allowing cryptographic verification that specific code ran on specific inputs without exposing secrets.
Feb 1, 2026
Praetorian assesses MCP ecosystem and develops MCPHammer
In February 2026, Praetorian evaluated the MCP ecosystem and created the open-source MCPHammer toolkit to demonstrate MCP server chaining, content injection, and data exfiltration techniques across multiple models and agents.
Nov 1, 2024
Anthropic announces the Model Context Protocol
Anthropic announced the open-source Model Context Protocol (MCP) in November 2024 as a standard for connecting AI assistants to external tools and data sources through standardized server integrations.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Malware
Organizations
Affected Products
Sources
3 more from sources like gopher security blog and praetorian blog
Related Stories
Security Exposure and Threat Landscape for Model Context Protocol (MCP) Servers
Security researchers evaluated the risks associated with deploying Model Context Protocol (MCP) servers, which enable AI systems like ChatGPT to interact with external tools and data. One investigation used the GitHub MCP server in conjunction with OpenAI's Codex to analyze code, identify security issues, and propose fixes, highlighting how AI agents can streamline code review and vulnerability management. The study also explored whether AI-driven code analysis could be manipulated to conceal security flaws, emphasizing the importance of context and transparency in automated security workflows. Separately, honeypots simulating MCP server deployments were exposed to the internet to assess real-world attack activity. These honeypots, configured with varying authentication levels, were quickly discovered by internet scanners but did not experience targeted exploitation or MCP-specific attacks. The only notable incident was a controlled proof-of-concept prompt-hijacking flaw in a custom MCP build, which was not observed in the wild. The findings suggest that, while MCP servers are rapidly indexed by threat actors, current risks stem primarily from implementation errors rather than active targeting, underscoring the need for secure deployment practices and ongoing monitoring as MCP adoption grows.
1 months ago
Security Risks and Assessment Tools for Model Context Protocol (MCP) Servers
The rapid adoption of the Model Context Protocol (MCP) is transforming how AI systems interact with external data sources, tools, and APIs, providing a standardized interface for large language models to connect with enterprise environments. While MCP offers significant convenience and interoperability, it also introduces new security challenges, including risks of prompt injection, tool poisoning, and data exfiltration, as attackers can exploit exposed tool descriptions and prompts to manipulate AI systems or compromise sensitive data. To address these emerging threats, the open-source tool Proximity has been released to scan MCP servers for exposed prompts, tools, and resources, enabling security teams to assess potential vulnerabilities before deployment. Proximity, when paired with the NOVA rule engine, allows analysts to write custom rules to detect suspicious or harmful content, such as prompt injection or jailbreak attempts, helping organizations proactively secure their AI integrations as MCP becomes increasingly prevalent in enterprise environments.
1 months ago
AI Agent Security Risks Around MCP and Over-Privileged Tool Access
Security commentary warned that the **Model Context Protocol (MCP)** has introduced a major *context-layer* attack surface by letting AI agents trust external tools and content without adequate authorization, validation, or isolation. The SC Media piece argues that organizations built zero-trust controls for users and devices but then undermined them by granting AI agents broad implicit trust, citing rapid MCP adoption, thousands of internet-exposed MCP servers, and prior demonstrations in which malicious MCP infrastructure or poisoned content drove agents to exfiltrate sensitive data and perform unauthorized actions. A related PyPI package, *ciaf-agents*, addresses the same broad problem space by proposing zero-trust execution boundaries for AI agents, including identity, authorization, mediation, elevation control, and auditability to prevent unauthorized data access and destructive operations. A separate post on building an agentic malware-analysis pipeline is **not** about MCP exposure or agent trust-boundary failures; it focuses on using LLM agents to improve reverse engineering and malware analysis workflows rather than documenting the same security issue or incident.
3 days ago