MCP Production Security · Field Breakdown

MCP opens trust all the way by default.
Tightening it is left to you.

MCP solves a real problem: one protocol, any tool, any client, instead of a custom integration per tool and framework. But its defaults were optimised for getting something working, not for production security. Auth is optional, tool definitions are mutable, and a session hands the agent every credential at once — and the protocol working group doesn't plan to tighten those at the spec level for you anytime soon.

Protocol default
  • HTTP servers can implement auth — not must
  • Tool definitions can be swapped mid-session
  • All tool credentials issued at session start
  • Tool output received as trusted context
who tightens
Production needs
  • Mandatory OAuth 2.1 + TLS per HTTP endpoint
  • Pin the manifest hash; block on change
  • Task-scoped grants, loaded per turn
  • Strict output-schema validation
40+ CVEs accumulated against the MCP ecosystem by mid-2026 — over 30 in a single 60-day window in February 2026 alone. The predictable, early-adoption security debt of a protocol that prioritised getting to adoption first.
Sources: FlowVerify, "MCP security: what breaks when you go to production" (2026-06-10) · NSA, "MCP: Security Design Considerations for AI-Driven Automation" (2026-05-20) · NVD / GitHub Security Advisory. Quotes preserved verbatim.
Note before we start

Clearing out one popular fake vulnerability

A widely shared post claims a "CVE-2026-32814 / X-MCP-Authenticated header auth bypass." Before anything else: it is fictional.

A tabletop scenario, not a live vulnerability

The source (RingSafe) states at the top of its own page that this is a "Scenario Brief — not a report of a live incident," and that the "CVE identifiers, advisory numbers, organisation references, dates, and figures used below are illustrative"; the body literally calls it "a hypothetical CVE-2026-XXXXX." Searching the ID returns only that post, NVD has no such entry, and the X-MCP-Authenticated header does not exist in any real MCP SDK. It is a tabletop exercise scripted for SOC training. This article does not use it; the "in-the-wild vulnerabilities" in Section 6 are all real CVEs with NVD entries and official patches.

01
Optional AuthAttack surface

Auth is optional in the spec — and most deployments skip it

MCP has two transports. stdio runs over a local socket with no authentication mechanism; it assumes both ends are trusted processes on the same machine — fine in local dev, broken the moment you go hosted or multi-tenant. HTTP gained formal OAuth 2.1 (with PKCE) support in June 2025, but the spec says HTTP servers can implement authorization, not that they must. Authorization is explicitly optional, and most public servers don't implement it.

38–41%
of the 518 officially registered servers Trend Micro scanned offered no meaningful authentication
3 in 5
of 1,467 publicly accessible servers had no auth or encryption at all
2,600+
CVE-2026-33032: nginx-ui MCP endpoint with no auth on command execution — instances exposed before the fix
Real incidentClawdbot2026-01

An open-source AI agent shipped with authentication disabled by default on its HTTP gateway. Over 2,000 deployed instances leaked credentials and full conversation histories to anyone who knew the endpoint path. There was no code-level vulnerability to patch — the endpoint simply had no auth layer, and nothing in the protocol had required one.

02
Tool Rug PullAttack surface

Tool definitions that change after you approve them

On first connection, the client fetches the server's tool manifest — names, descriptions, parameter schemas. The user reviews it, approves, and the agent starts calling. What most teams don't know: those definitions are fetched dynamically at session start, and the protocol includes notifications/tools/list_changed, which lets a server push updated schemas mid-session without any client re-approval. The spec requires neither immutable definitions nor content hashing. An approved server can serve a different manifest on every connection.

Enabling conditions
  • Definitions mutable via list_changed mid-session
  • Clients approve once, on first connect
  • Malicious instructions sit below the visible prompt area
Primary mitigation
  • Hash the full manifest on first approval; compare each connection
  • Use mcp-scan to flag manifest changes
  • ETDI tool signing (arXiv:2506.01333)
Real incident · CVE-2025-54136 (MCPoison)postmark-mcp2025-09

An npm package posing as a legitimate email integration built credibility over 15 releases with a clean download history. Version 1.0.16 added a single line of code: a silent BCC on all outgoing emails to an attacker-controlled address. Agents that had approved it kept calling without re-reviewing. An estimated 300 organisations and ~1,500 weekly downloads were affected before removal.

A peer-reviewed study (arXiv:2603.22489, March 2026) evaluated seven major MCP clients against changed or malicious tool definitions; five of the seven implemented no static validation, accepting whatever the server returned. Even clients with approval dialogs are often vulnerable, because the malicious instructions appear below the visible area and rely on users clicking Approve without scrolling.

03
Indirect Prompt InjectionAttack surface

Indirect prompt injection, arriving through tool output

Prompt injection usually needs access to the system prompt or user input. MCP opens another path: tool output. When a tool returns data, the model receives it as trusted context — the result of something it asked for. If that data contains text structured to look like an instruction, the model will often follow it. More capable models are, on average, more vulnerable, because they follow instructions more precisely.

72.8%
MCPTox attack success rate against o1-mini (45 real servers, 1,312 adversarial cases, 10 categories)
78.3%
Unit 42: with five servers connected, a single compromised one achieves this rate across the full deployment
Real incidentSupabase × Cursor agent2025

The Cursor agent ran with service-role database access — the highest-privilege credential, which bypasses row-level security — processing customer support tickets through an MCP tool. One ticket contained embedded SQL instructions instead of plain text. The agent ingested the ticket, treated the SQL as context it had been given, and executed it, exfiltrating integration tokens from the database. The entire attack surface was the content of a support ticket; no system prompt was compromised.

Real incident · documented by Invariant LabsGitHub MCP × broad PAT2025-05

Malicious GitHub issues were written to be read by an agent holding a broadly-scoped Personal Access Token, structured to resemble instructions from a trusted source. The agent followed them, accessed the developer's private repositories, and created a public pull request containing the exfiltrated private repo names, project details, and personal financial data.

The attack scales with your tool surface. Every data source the agent reads through MCP — databases, issue trackers, inboxes, document stores — is a potential injection point. FlowVerify's control lives at the data layer: strict output schemas defining exactly what fields each tool can return, validated before the model sees them, with any free-form text treated as inert data rather than instruction candidates.

04
Ambient Authority · Confused DeputyMost structural

Ambient authority and the confused deputy

This failure mode is structural. MCP grants the agent the full tool set at session start, and all those credentials remain present for the entire session. This is ambient authority: the agent holds everything simultaneously, not just what the current task needs. A server exposing twenty tools receives one OAuth session token covering all of them; after the initial handshake, there is no per-tool authorization barrier.

Ambient authority enables the confused deputy attack. Tool A has read access to a low-privilege store and returns output structured as an instruction for Tool B, which has write access to something sensitive. The model reads Tool A's output as trusted context and invokes Tool B accordingly. Neither tool was compromised; no auth check failed. The attack succeeds because both credentials were present at once and the model can't distinguish tool-output-as-data from tool-output-as-instruction.

Real incident · demonstrated by Invariant Labs"random fact of the day" × WhatsApp server2025-04

A "random fact of the day" MCP server carried hidden instructions in its tool description targeting a co-installed WhatsApp MCP server. The agent read the hidden instructions, used its legitimate WhatsApp access to read the user's full message history, and exfiltrated it as an outgoing message, obfuscated via whitespace padding to evade DLP. The WhatsApp server was never compromised — the attack exploited the ambient authority the agent held over both servers at once.

"Most MCP deployments give an agent all its credentials at session start. The confused deputy attack doesn't need a compromised tool — it needs two tools that are both already trusted."

— FlowVerify Engineering
Real CVEs

The real through-line: three official SDKs, one default-config flaw

With the fictional CVE set aside, the real, verifiable vulnerabilities make the point better. They converge on the same repeated mistake: the official SDKs' localhost HTTP transports don't validate the request's Host / Origin header by default, so they get hit by DNS rebinding or cross-site requests — categorised as Insecure Default Initialization (CWE-1188).

How DNS rebinding works here

Setup
MCP server runs on localhost in dev, no auth enabled
01
A malicious page's domain first resolves to the attacker's IP
02 rebind
The same domain rebinds to 127.0.0.1
03
Page JS requests it; the browser judges by hostname and treats it as same-origin
04
The request lands on the local server as a locally-issued tool call

Because MCP servers commonly expose tools that read source, run shell, or speak to cloud APIs, a rebound request can drive the whole tool surface from any browser tab the user happens to leave open. MCPSafe notes that a bearer token alone doesn't help: if the token is in a previously-set cookie or header, the rebinding request carries it; the only reliable defense is a per-request Host check.

All of the following are verifiable on NVD or official GitHub Security Advisories, each with a patch version:

CVE-2025-66414 TypeScript SDK
localhost HTTP server doesn't enable DNS rebinding protection by default; a malicious site can bypass same-origin policy to call local tools. stdio unaffected.
Fixed → 1.24.0 (createMcpExpressApp secure defaults + Host check)
[official] NVD; GHSA-w48q-cv73-mx4w
CVE-2026-34742 Go SDK
Same DNS rebinding class: no Host header / loopback validation.
Fixed → 1.4.0 (Host check + loopback verification)
[official] NVD / SentinelOne
CVE-2026-33252 Go SDK
Streamable HTTP transport accepts cross-site browser POSTs without validating Origin or requiring Content-Type: application/json; in unauthenticated deployments any site can trigger tool execution (CSRF, CWE-352).
Fixed → 1.4.1 (Content-Type check + configurable Origin check)
[official] NVD; GHSA-89xv-2j6f-qhc8
CVE-2025-54136 Protocol
Tool-definition rug pull: server can swap the manifest after approval (MCPoison).
[third-party] Check Point Research
CVE-2026-33032 nginx-ui MCP
Command-execution endpoint with no authentication; 2,600+ instances exposed.
Patched
[third-party] via FlowVerify
mcp-toolbox #3076 Google
Auth middleware fails open: when the external authz server times out / returns 500, the switch misses the 500 case and lets the unauthenticated request through.
Fix: fail closed (add a default case)
[official] GitHub Issue

Lining up the same class of flaw across the TypeScript and Go SDKs, the conclusion matches FlowVerify and the NSA: this isn't one implementer's slip, but the protocol's early "make it convenient first" default replicated into every official implementation — each later closed by adding Host/Origin validation.

NSA Official Guidance · 2026-05-20

The NSA's read: adoption has outpaced security

On May 20, 2026, the NSA published "Model Context Protocol (MCP): Security Design Considerations for AI-Driven Automation." Its overall judgment: MCP's rapid adoption has outpaced the development of appropriate security safeguards, leaving organizations exposed to risks the protocol's designers and implementers did not fully anticipate. On the left are the eight risks it names; on the right, the nine matching recommendations.

Eight risks

  • Uncontrolled automated actions — the AI can decide on its own to use new tools or take new actions.
  • Lack of input screening — hidden commands in data slip through undetected.
  • Context poisoning — outputs misread as instructions rather than information.
  • Lack of identity & access controls — access granted without verifying who or whether permitted.
  • Data leakage — shared info inadvertently exposed to multiple services.
  • Lack of human approval steps — actions without sign-off; capability/access changes skip review.
  • Credential reuse risk — no token expiry/revocation; stolen credentials can be replayed.
  • Susceptibility to overload attacks — request floods can cause DoS.

Nine recommendations

  1. Go beyond the official documentation; add deliberate safeguards for your environment.
  2. Use reliable, actively maintained MCP tools from trusted sources.
  3. Subject MCP tools to your most rigorous review processes (code-audit grade).
  4. Separate systems and data by trust level; isolate public-info tools from sensitive-data tools.
  5. Grant only the minimum access necessary; block what a tool doesn't need.
  6. Keep processing of private or sensitive data local where possible.
  7. Screen all inputs before processing — especially where one model's output feeds another.
  8. Treat all automated actions as high-risk, confined within strict permission boundaries.
  9. Maintain comprehensive activity logs, integrated into existing security monitoring.

"It is essential that MCP operations are brought in line with established secure computing practices without stifling the flexibility and power that make it attractive in the first place."

— NSA guidance (via Reed Smith)
Hardening Checklist · FlowVerify

What to check before shipping MCP to production

FlowVerify maps each failure mode to its enabling condition, a documented example, and the primary mitigation.

Failure modeEnabling conditionDocumented examplePrimary mitigation
Tool rug pullDefs mutable via list_changed; approve oncepostmark-mcp (2025-09); CVE-2025-54136ETDI signing; mcp-scan manifest hashing
Indirect prompt injectionTool output trusted; no schema enforcementSupabase/Cursor SQL exfil; GitHub MCP leak (2025-05)Strict output schema; free-form text as untrusted
Confused deputy / ambient authoritySession OAuth token covers all tools at onceWhatsApp chat exfil (2025-04); 78.3% multi-server (Unit 42)Task-scoped grants; per-turn tool loading
Unauthenticated HTTP gatewayHTTP auth optional, most skip itClawdbot (2026-01); CVE-2026-33032Mandatory OAuth 2.1; enforce at gateway

Beyond the per-row mitigations, FlowVerify lists practices that should be defaults for every production deployment:

FlowVerify notes the MCP spec working group is discussing tool-definition immutability, finer-grained permission scoping, and mandatory auth for HTTP transports, so several of these gaps are likely to narrow in the 2026 spec revisions. The controls above address what's exploited today.