AI Agent Security Risks Around MCP and Over-Privileged Tool Access
Security commentary warned that the Model Context Protocol (MCP) has introduced a major context-layer attack surface by letting AI agents trust external tools and content without adequate authorization, validation, or isolation. The SC Media piece argues that organizations built zero-trust controls for users and devices but then undermined them by granting AI agents broad implicit trust, citing rapid MCP adoption, thousands of internet-exposed MCP servers, and prior demonstrations in which malicious MCP infrastructure or poisoned content drove agents to exfiltrate sensitive data and perform unauthorized actions.
A related PyPI package, ciaf-agents, addresses the same broad problem space by proposing zero-trust execution boundaries for AI agents, including identity, authorization, mediation, elevation control, and auditability to prevent unauthorized data access and destructive operations. A separate post on building an agentic malware-analysis pipeline is not about MCP exposure or agent trust-boundary failures; it focuses on using LLM agents to improve reverse engineering and malware analysis workflows rather than documenting the same security issue or incident.
Timeline
Apr 14, 2026
AWS publishes MCP security guidance for AI agent access to AWS resources
AWS published official guidance on securing AI agents and coding assistants that access AWS resources through MCP. The blog recommended scoped temporary credentials, governance over role usage, and mechanisms to distinguish AI-driven actions from human activity, including AWS-specific IAM context keys for AWS-managed MCP servers.
Mar 28, 2026
UK AI Safety Institute study maps rapid rise of action-capable MCP tools
A UK AI Safety Institute study of 177,436 MCP tools created between November 2024 and February 2026 found action-tool usage grew from 27% to 65%, with strong growth in computer-use, browser automation, and financial tooling such as payment-execution servers. The study also found increasing AI-assisted development of MCP servers and warned that the shift toward agents that can execute code, modify files, send emails, and interact with financial systems raises major enterprise security and governance risks.
Mar 25, 2026
Researcher shows poisoned Context Hub docs can steer agents to malicious packages
Researcher Mickey Shmueli published a proof-of-concept showing that if malicious documentation were merged into Andrew Ng’s Context Hub repository, AI coding agents consuming it through MCP could be induced to add fake or malicious dependencies to generated projects. The report highlighted weak documentation sanitization in the pipeline and framed the issue as an indirect prompt-injection supply chain risk for community-authored agent documentation.
Mar 18, 2026
SC Media warns MCP creates a new zero-trust blind spot
SC Media published a perspective arguing that MCP has opened a new context-layer attack surface that traditional zero-trust architectures do not adequately address. The article warned that a major enterprise breach mediated through MCP is likely unless organizations validate context inputs and treat MCP connectivity as privileged access.
Mar 18, 2026
CIAF-Agents package published with zero-trust controls for AI agents
The ciaf-agents package was published on PyPI, presenting a zero-trust framework for agent execution boundaries with IAM, PAM, mediated execution, and cryptographic audit receipts. The release framed excessive agent privilege and weak verification as key security risks in autonomous AI systems.
Mar 10, 2026
Microsoft patches Azure MCP Server SSRF flaw CVE-2026-26118
Microsoft patched CVE-2026-26118 on 2026-03-10, fixing a server-side request forgery vulnerability in Azure MCP Server. The flaw could allow an authorized attacker to steal the server’s managed identity token and elevate network privileges.
Jan 1, 2025
JFrog discloses CVE-2025-6514 in MCP server implementations
JFrog disclosed CVE-2025-6514 in 2025, an OS command-injection vulnerability affecting MCP server scenarios with a CVSS score of 9.6. The flaw could allow remote code execution when clients interacted with untrusted MCP servers.
Jan 1, 2025
Supabase Cursor agent abused through malicious support tickets
In 2025, attackers demonstrated that malicious support tickets could be used to abuse Supabase's Cursor agent. The example showed how hostile context entering an agent workflow could trigger unauthorized actions or data exposure.
Jan 1, 2025
Private repository data leakage shown through GitHub issues
A 2025 incident showed that GitHub issue content could be abused to cause leakage of private repository data through AI agent workflows. The case illustrated the risk of treating untrusted issue text as safe context for agent actions.
Jan 1, 2025
Invariant Labs demonstrates WhatsApp data exfiltration via MCP
Invariant Labs demonstrated an MCP-related attack in 2025 in which malicious context could drive an AI agent to exfiltrate WhatsApp data. The incident highlighted how untrusted inputs could manipulate agent behavior without compromising the underlying model.
Jan 1, 2025
Major platforms adopt MCP for agentic AI integrations
Platforms including Microsoft Copilot Studio and Azure AI Foundry adopted MCP as part of their agentic AI offerings, accelerating enterprise use of the protocol despite limited built-in security controls.
Dec 1, 2024
Anthropic introduces the Model Context Protocol
Anthropic introduced the Model Context Protocol (MCP) in late 2024, creating a standardized way for AI agents to connect to external tools and data sources. The protocol was then rapidly adopted across agentic AI ecosystems.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Organizations
Sources
5 more from sources like github.com, scworld, pypi, doyensec blog and hungyichen.com
Related Stories
Model Context Protocol (MCP) Security Risks From Untrusted Tool Servers and Verifiability Gaps
Security researchers warned that the *Model Context Protocol (MCP)*—used to let AI assistants connect to local tools and enterprise SaaS data—creates a significant attack surface when organizations install or authorize MCP “servers” and tool integrations. Praetorian highlighted that **locally hosted MCP servers run with the user’s privileges** and can therefore execute arbitrary commands, access local files, install malware, and exfiltrate data while masquerading as legitimate productivity tooling; it also described **“MCP server chaining,”** where a malicious local MCP server abuses data and actions flowing through a trusted remote integration (e.g., Slack/Google Drive) without needing to compromise the official provider. Separately, Gopher Security emphasized a **trust and auditability gap** in MCP deployments: standard logging for remote tool execution can be incomplete or tampered with, and organizations often cannot prove what code ran or what parameters were used inside a remote “black box” execution environment. The post described “puppet”/interception-style scenarios where an attacker could alter an MCP request (e.g., changing tool-call parameters to trigger data exfiltration or unauthorized actions) while returning plausible “success” responses, and proposed cryptographic approaches (e.g., **zero-knowledge proofs**) to make MCP tool execution verifiable rather than relying on mutable logs.
Today
Security Exposure and Threat Landscape for Model Context Protocol (MCP) Servers
Security researchers evaluated the risks associated with deploying Model Context Protocol (MCP) servers, which enable AI systems like ChatGPT to interact with external tools and data. One investigation used the GitHub MCP server in conjunction with OpenAI's Codex to analyze code, identify security issues, and propose fixes, highlighting how AI agents can streamline code review and vulnerability management. The study also explored whether AI-driven code analysis could be manipulated to conceal security flaws, emphasizing the importance of context and transparency in automated security workflows. Separately, honeypots simulating MCP server deployments were exposed to the internet to assess real-world attack activity. These honeypots, configured with varying authentication levels, were quickly discovered by internet scanners but did not experience targeted exploitation or MCP-specific attacks. The only notable incident was a controlled proof-of-concept prompt-hijacking flaw in a custom MCP build, which was not observed in the wild. The findings suggest that, while MCP servers are rapidly indexed by threat actors, current risks stem primarily from implementation errors rather than active targeting, underscoring the need for secure deployment practices and ongoing monitoring as MCP adoption grows.
1 months ago
Adoption and Security Implications of AI and MCP in SOC and Application Security
Security teams are increasingly integrating AI-powered tools and custom agents into their Security Operations Centers (SOCs), leveraging frameworks like the Model Context Protocol (MCP) to orchestrate vendor capabilities with internal systems. This approach enables more efficient alert triage, workflow automation, and the combination of pre-built and custom AI agents, allowing for tailored security operations that bridge gaps between disparate tools and organizational context. Simultaneously, the rise of AI-generated code and AI coding assistants is transforming the application security landscape, introducing new risks such as vulnerabilities in authentication, authorization, and privilege escalation paths. Research highlights that AI-generated code can be vulnerable up to 75% of the time, and traditional security scanners may struggle to detect architectural flaws in such code due to the lack of standard identifiers. The adoption of MCP is noted as a pervasive trend, offering both opportunities and challenges in managing these evolving risks.
1 months ago