Major Security Risks Found in MCP Protocol

The Model Context Protocol (MCP) was first introduced by Anthropic in November 2024 as an open standard to allow AI models to interact with external tools and data sources. The protocol was later donated to the newly formed Agentic AI Foundation (AAIF), a part of the Linux Foundation, in a move to ensure neutral governance and encourage wider, secure adoption across the industry. However, the protocol's design, which in some cases prioritizes functionality over security, has led to significant vulnerabilities. Security researchers have pointed to a lack of default authentication standards and the mandated use of session IDs in URLs as fundamental weaknesses. By mid-2025, a series of exploits demonstrated that these were not just theoretical risks. Real-world incidents have included a critical remote code execution (RCE) vulnerability (CVE-2026-0755) in the open-source `gemini-mcp-tool`. This flaw, rated with a CVSS score of 9.8, stemmed from an `execAsync` method that failed to sanitize user-supplied input, allowing unauthenticated attackers to execute arbitrary code. The vulnerability was reported to the vendor in July 2025, but with no patch released, it was publicly disclosed as a zero-day in January 2026. Another significant vulnerability, dubbed MCPoison (CVE-2025-54136), was found in the Cursor AI IDE. Attackers could modify an already trusted MCP configuration file in a shared repository. Once a developer approved a seemingly harmless configuration, an attacker could later swap it with a malicious payload, leading to persistent and silent code execution without any further user prompts. Cursor addressed the issue in an update released in July 2025. A timeline of security breaches throughout 2025 further highlights the risks. In April, a "tool poisoning" attack allowed for the exfiltration of WhatsApp chat histories. In June, a bug in Asana's MCP server risked cross-organization data exposure. Vulnerabilities were also found in Anthropic's own official `mcp-server-git` and `mcp-remote` projects, leading to RCE and arbitrary file access. These incidents expose common attack patterns, including indirect prompt injection, where malicious instructions are hidden in data consumed by the AI agent, and "tool poisoning," where an MCP tool's metadata is altered to deceive the AI. Attackers have exploited these vectors to leak sensitive data from private GitHub repositories by planting malicious text in public issues that an AI agent is asked to read. The "shadow IT" problem is exacerbated by the ease with which developers can spin up MCP instances, often without proper security oversight. A study of publicly available MCP servers found that over 40% were susceptible to command injection flaws. This proliferation of insecure, unvetted connections creates a significant, often invisible, attack surface within organizations.