Unpacking MCP Security: What You Need to Know

Why the Model Context Protocol is powerful — and why it demands serious attention from security teams

Ever since the model context protocol (MCP) was developed and open-sourced by Anthropic in late 2024, it has become the go-to standard for linking large language models (LLMs) with external tools, APIs, and data sources. MCP simplifies and standardizes how models interact with systems, making it easier to build AI agents. Too, building a dynamic tool using AI agents is significantly easier.

Think of the MCP as an abstraction layer. Similar to how APIs transformed web applications, MCP provides an easy way to integrate multiple services without writing glue code or integrating with every model. MCP’s adoption surged in early 2025 after OpenAI and Google Gemini embraced it, making it the de facto standard in the AI ecosystem.

But while MCP unlocks powerful capabilities, as with every new revolutionary technology, it also creates a new attack surface, especially if security isn’t embedded from the outset.

A quick recap: what MCP is and how it works

At its core, MCP acts as an intermediary between an LLM and external systems. It uses a client-server model:

• MCP Client: Resides inside your application (e.g., an AI assistant or IDE). It mainly orchestrates communication between the LLM and the MCP server.
• MCP Server: Acts as a bridge to external systems, exposing data (resources) and actions (tools) for the LLM to use.

Typical MCP Flow

1. The client fetches tool definitions from the MCP server.
2. The LLM uses this context to generate a function call.
3. The client sends the call to the server.
4. The server executes the function (e.g., API call, database query).
5. Results are returned and fed back into the model’s context.

MCP supports two primary transport modes:

• stdio for local connections (fast, but risky with untrusted code).
• HTTP/SSE for remote servers (many early demos lacked encryption).

The hidden security risks of MCP: a breakdown

While MCP simplifies integration, it introduces a mix of classic vulnerabilities and novel AI-native attack surfaces.

Existing Security Challenges (Amplified by MCP)

Server Trust Issues & Supply Chain Risks

The classic supply chain security issues associated with acquiring software from the internet. Without having a trusted registry or a standard signing process, attackers can publish servers and clients disguised as legitimate ones. Installing them could lead to running arbitrary, unverified code opening doors to supply-chain attacks.

Plaintext Credentials

Many MCP servers often store sensitive API keys in .env files or hardcoded configs to make development easier. Accidentally exposing these to the internet may lead to compromise or access to private systems or data.

Weak or Missing Authentication

The MCP spec makes authentication optional. Many deployments lack authentication, leaving servers exposed to unauthorized connections and potential DoS attacks. This was the biggest risk when MCP was launched, The industry has taken steps to address the concerns, but this issue has ways to go before it can be completely eradicated.

Excessive Permissions

Many misconfigured servers may expose tools or data to the LLM without restriction. A single compromise could provide attackers with unfettered access to APIs and critical resources.

Lack of Observability

MCP tools are still new and may not have rigorous logging and observability capabilities leading to gaps during security investigations.

AI-specific risks, and why MCP worsens them

MCP may sometimes amplify risks already inherent in LLMs by granting agency over real-world systems.

Prompt Injection

Attackers can inject malicious instructions into inputs or documents, leading LLMs to trigger harmful tool invocations such as data exfiltration or API misuse.

Line Jumping Attacks

Malicious or compromised servers can embed instructions in tool descriptions processed during initialization. This preempts user approvals and allows early manipulation of LLM behavior.

ANSI Terminal Code Abuse

Hidden escape codes in outputs can bypass human review while still influencing LLMs, enabling stealthy attacks.

Conversation History Theft

Compromised tools may instruct LLMs to retrieve prior session data, breaching user privacy.

Instruction Override & Boundary Confusion

Weak delimiters or parsing flaws blur context boundaries, allowing attackers to override system-level instructions.

Metadata Manipulation

Poisoned tool metadata can escalate privileges or deceive users, turning benign-looking tools into destructive ones.

By empowering LLMs to act directly, MCP turns confined prompt abuses into system-level exploits.

MCP-Specific Protocol Exploits

Tool Definition Modification (“Rug Pull” Attacks)

Malicious or compromised servers can alter tool behavior after approval, e.g., turning a "read-only" tool into one with write access.

Tool Shadowing

Attackers could duplicate trusted tools and modify their functionality to cause unexpected outcomes. Similar to some supply chain attacks.

Session ID Exposure

There are multiple independent components in an MCP setup, like LLM, client, server, and tools. Any one system that is misconfigured may expose session id or secrets. e.g., Session tokens in MCP URLs may leak via logs or chat history, enabling session hijacking.

Command Injection

A recent research found that 43% of tested MCP servers allowed unsanitized inputs to execute OS commands (Equixly, 2025). This can give the LLM or an attacker the opportunity to run unauthorized code on sensitive systems.

Path Traversal & File Read

The same study found that 22% of the tested MCP servers exposed sensitive files via directory traversal attacks. Misconfigured or excessive permissions given to MCP tools may lead to data leakage.

SSRF (Server-Side Request Forgery)

Similar to path traversal and command injection, a tool or server without SSRF protections could connect to an internal network or attack another application on the internet via the MCP server.

Best Practices for securing your MCP

The community is actively working to strengthen MCP security with libraries and secure-by-default frameworks expected to gain traction soon. In the meantime, here’s a quick checklist to help secure your MCP deployments and integrations.

Infrastructure & access

• Use signed, verified MCP servers.
• Enforce strong authentication for all deployments.
• Store secrets securely (AWS Secrets Manager, HashiCorp Vault).
• Apply least privilege principles to all tools.

Environment hardening

• Sandbox MCP servers in containers with strict permissions.
• Use runtime protections like seccomp and AppArmor.
• Monitor activity with anomaly detection tools.
• Require human approvals for high-risk actions.

Input/Output safety

• Sanitize all inputs and outputs rigorously.
• Filter out rogue terminal codes and prevent PII leakage.
• Enforce strong context boundaries to avoid injection.

Enterprise integration

• Integrate MCP with SIEM and IAM solutions.
• Include MCP in threat models.
• Train engineers on MCP-specific risks.

What’s Next for MCP Security?

Vendors like Palo Alto Networks are releasing AI-based runtime security tools to address MCP-specific threats. Expect future advancements in:

• Standardization
• Detection systems
• Secure-by-design frameworks

There’s also an MCPSafetyScanner to scan your MCP instance.

Final Thoughts

MCP is a transformative protocol for agentic AI, but it carries significant risks. From classic flaws like command injection to AI-native threats such as prompt manipulation, the stakes are high.