model context problems

a running record of publicly disclosed security incidents in the Model Context Protocol ecosystem. because what could possibly go wrong when you let language models autonomously talk to everything?

25
incidents tracked
12
critical severity
10
high severity
18
CVEs assigned
numbers update as new incidents are disclosed.

2026 · july · 02

[critical] CVE-2026-52830

fast-mcp-telegram Uses Bearer Tokens as Session-File Paths; Path Traversal Grabs the Default Account

CVE-2026-52830 (CVSS 9.4) landed in the NVD on July 2, 2026 against fast-mcp-telegram, an MCP server that bridges HTTP requests to Telegram's MTProto API and supports multi-user Bearer-token authentication. The server authenticates incoming HTTP clients by joining the raw Bearer-token string into a session-file path and checking whether that file exists on disk. The verifier explicitly rejects the reserved literal telegram so HTTP callers cannot select the stdio/legacy default session, but it does not reject .. and does not normalize the path before the existence check. A remote HTTP client that sends Authorization: Bearer ../fast-mcp-telegram/telegram walks the traversal back to the documented default session file at ~/.config/fast-mcp-telegram/telegram.session, and the server hands the caller that session. With account-prefixed MCP tools enabled, the prefix middleware still exposes tools for the default account, so the intended isolation between the HTTP transport and the legacy default account collapses. Every version prior to 0.19.1 is vulnerable.

the reviewer who approved `session_path = join(dir, bearer_token)` as the entire auth layer
EX.Athe reviewer who approved `session_path = join(dir, bearer_token)` as the entire auth layer
commentary
os.path.join(sessions_dir, bearer_token) is written down somewhere in this repository as an authentication decision. The reserved-name check knew telegram was the string to worry about. The path traversal reached the string telegram anyway, because the string was also a filename. The bug is not the missing normalization; the bug is that the token was a path.
impact

An unauthenticated remote HTTP client with network reach to a `fast-mcp-telegram` HTTP endpoint impersonates the default Telegram account any time that account's session file lives at the documented default path. From there the caller drives every account-prefixed MCP tool as the default user, which for a Telegram bridge covers reading and sending messages, listing chats, and shipping attachments.

tags

2026 · june · 30

[informational] no CVE assigned

Microsoft Incident Response: Enterprise Copilot Agents Trust Poisoned MCP Tool Descriptions

Microsoft's Detection and Response Team, the incident-response arm inside Microsoft Security, published guidance on June 30, 2026 flagging tool-description poisoning as an active attack path against enterprise agents built on Microsoft 365 Copilot, Copilot Studio, and Azure AI Foundry. Every MCP tool ships a plain-text description that tells the agent what the tool does and when to invoke it, and the guidance notes that the description lives in the agent's working memory next to its real orders. Third-party MCP servers can change that description at runtime and, in default enterprise configurations, the poisoned version becomes active without a new consent prompt. Microsoft's worked scenario has a finance team wiring a vendor-enrichment MCP server into a Copilot Studio invoice agent. The tool's visible name and summary stay unchanged, while the description grows a formatting-note-shaped instruction to attach the last thirty unpaid invoices to the next call. The next routine supplier lookup ships those invoices to whatever endpoint the tool's HTTP client points at. Microsoft's mitigation stack is a tenant-level MCP publisher allowlist (disabling Allow all), Prompt Shields inspection of tool metadata and responses, Purview DLP on tool parameters, human approval on high-impact actions, Entra Agent ID plus Conditional Access on agent identities, and Sentinel correlation between agent behavior and MCP telemetry.

commentary
Invariant Labs coined tool poisoning in April 2025. Fifteen months later Microsoft Incident Response is walking Copilot Studio customers through a worked example of it, with a mitigation checklist that reads assume MCP publishers are hostile. The protocol still ships the same trust boundary the coining paper described, which is to say it does not really ship one.
impact

An approved third-party MCP tool can be turned into an exfiltration channel by rewriting its description, and every enterprise Copilot tenant that leaves the default `Allow all` MCP configuration on picks up the poisoned version without any re-approval. The advisory applies to Microsoft 365 Copilot, Copilot Studio, and Azure AI Foundry agents that can send email, create files, change calendars, query business systems, or run multi-step workflows.

tags

2026 · june · 29

[critical] CVE-2026-48558

Djinn Stealer Adds ~/.claude/mcp.json to Its Loot List After SimpleHelp Auth Bypass

Blackpoint Cyber's Adversary Pursuit Group published an intrusion investigation on June 29, 2026 that started with CVE-2026-48558, a critical (CVSS 10.0) authentication bypass in SimpleHelp RMM's OpenID Connect flow originally disclosed by Horizon3.ai on June 12. The server accepted OIDC identity tokens without verifying their cryptographic signature, so an unauthenticated attacker submitted a forged token with arbitrary claims and got a fully authenticated technician session on an internet-facing SimpleHelp install. From that foothold the operator dropped TaskWeaver, a heavily obfuscated Node.js loader that runs as jquery.js under node.exe, then used TaskWeaver's encrypted channel to deliver a second previously undocumented family, Djinn Stealer. Djinn ships collection rules for Windows, macOS, and Linux and, alongside the standard AWS/Azure/GCP/Oracle/Okta/Cloudflare/Vault/Terraform/browser/crypto-wallet sweep, has a dedicated section for AI-assisted development tools. It reads configuration, session, and auth material from Anthropic Claude, Google Gemini, and OpenAI Codex, plus open-source coding agents Cline, OpenCode, and Kilo, and it explicitly walks paths like ~/.claude/mcp.json where MCP server URLs and tokens live. CISA added CVE-2026-48558 to the Known Exploited Vulnerabilities catalog the same day Blackpoint published, with a BOD 26-04 remediation deadline of July 7 for federal civilian agencies.

commodity infostealer collection rules, 2024 | commodity infostealer collection rules, 2026 (now with ~/.claude/mcp.json)
EX.Acommodity infostealer collection rules, 2024 | commodity infostealer collection rules, 2026 (now with ~/.claude/mcp.json)
commentary
The moment a commodity infostealer's collection ruleset lists ~/.claude/mcp.json next to .env files and browser cookies is the moment MCP configuration is officially loot. Djinn also enumerates Cline, OpenCode, Kilo, Gemini, and Codex, so the operators did the market research. The .claude directory is now a threat model of its own.
impact

Any organization exposing an unpatched SimpleHelp RMM to the internet could have its technician session hijacked with a forged OIDC token, then have a developer machine's MCP configuration harvested along with the usual cloud, source-control, and wallet material. Because MCP configs carry the tokens the developer's own agent uses, the stolen material grants the attacker the same downstream reach the agent already had into repos, databases, cloud accounts, and internal APIs.

tags

2026 · june · 26

[high] CVE-2026-12957, CVE-2026-12958

Amazon Q for VS Code Auto-Loads .amazonq/mcp.json From Any Cloned Repo

Wiz Research's Maor Dokhanian disclosed that the Amazon Q Developer extension for Visual Studio Code reads .amazonq/mcp.json from any opened workspace and spawns the MCP servers it defines without checking workspace trust, surfacing a prompt, or even logging the action. The spawned processes inherit the developer's full environment, so anything the shell carries, including AWS access keys, cloud CLI tokens, SSH agent sockets, and API secrets, is handed directly to whatever command the config pointed at. Wiz reported the issue to AWS on April 20, 2026; AWS deployed an initial fix on May 12 and publicly disclosed on June 26 under Security Bulletin 2026-047-AWS as CVE-2026-12957 (CVSS 8.5). The same bulletin tracks a second flaw, CVE-2026-12958, a missing symlink check in Language Servers for AWS that lets a maliciously crafted symlink inside an opened workspace point at a target outside the workspace trust boundary, enabling arbitrary file writes. Both are remediated in Language Servers for AWS 1.65.0; AWS asks customers to upgrade to 1.69.0 for the broader rollup.

git clone, open in VS Code, lose AWS creds. apparently that's the design
EX.Agit clone, open in VS Code, lose AWS creds. apparently that's the design
commentary
Workspace trust exists in VS Code specifically so that git clone && code . is not also chmod +x ./*.sh && ./run-all. Amazon Q's MCP loader read past that signal because the config file lived under .amazonq/ and was therefore, by assumption, friendly. The same assumption produced the symlink bug. The fix list is the assumption list.
impact

Anyone who clones a repository, opens it in VS Code with Amazon Q installed, and is connected to their cloud session executes whatever the repo's `.amazonq/mcp.json` told MCP to run, attached to their live AWS credentials, with no further interaction. The chained symlink bug bumps the same workspace-open into arbitrary file writes outside the trust boundary.

tags

2026 · june · 23

[high] CVE-2026-12112, CVE-2026-9073

Red Hat Satellite foreman-mcp-server Treats Session IDs as Auth, Logs Them

Red Hat published advisories for two issues in foreman-mcp-server, the Technology Preview MCP server bundled with Satellite 6.18. CVE-2026-12112 (CVSS 7.8, Important) is the session-management bug. The server caches authenticated client connections and trusts the session ID on subsequent requests without re-validating the underlying authentication tokens, so anyone holding a session ID inherits the active administrative session. CVE-2026-9073 (Moderate) is how that session ID gets obtained. The server writes every newly created session ID to standard logs at the informational level, and when debug logging is enabled, also persists HTTP authorization headers in cleartext. Both advisories landed on June 23, 2026, without a fixed-version pointer at publication. Red Hat's interim mitigation is to restrict access to foreman-mcp-server, scrub log forwarding, and watch for suspicious session activity.

commentary
A session ID treated as a bearer token is a design choice. A session ID treated as a bearer token and logged at INFO is the kind of thing that fails its first compliance audit. Both behaviors live in the same component, shipped under the Technology Preview label, which is the industry-standard phrasing for please discover the bugs for us.
impact

Anyone with read access to Satellite's container logs, or to any sink those logs were forwarded to, harvests session IDs that are themselves the bearer credential. Replaying them produces hijacked administrative sessions on a Satellite instance and, through it, infrastructure-wide code execution against the hosts it manages.

tags

2026 · june · 17

[critical] no CVE assigned

Mastra AI npm Scope Hijacked by Sapphire Sleet, 142 MCP Framework Packages Backdoored

Between 01:12 and 02:39 UTC on June 17, 2026, a single compromised npm account named ehindero republished 142 packages across the @mastra scope, the TypeScript AI agent framework whose @mastra/core, @mastra/mcp, and @mastra/mcp-docs-server packages clear roughly a million weekly downloads between them. The compromised versions were byte-for-byte identical to the legitimate builds; the only change in each manifest was a single injected dependency, easy-day-js, a typosquat of dayjs published one hour earlier under the alias sergey2016. The dependency's postinstall hook disabled TLS certificate verification, fetched a second-stage payload from attacker infrastructure, executed it as a detached background process, and deleted itself to limit forensic traces. The cross-platform infostealer harvested browser data from Chrome, Edge, and Brave, extracted credentials from 166 cryptocurrency wallet extensions, and swept GitHub tokens, npm tokens, SSH keys, and .env files before exfiltrating to attacker C2. Microsoft Threat Intelligence attributed the activity to Sapphire Sleet (BlueNoroff), a North Korean state actor that has been running fake-recruiter LinkedIn campaigns against open-source maintainers; Mastra confirmed the compromised maintainer was a current employee whose machine was taken over after exactly that kind of contact. Socket flagged the malicious wave within six minutes of publication and Mastra force-published clean releases across all 142 packages.

every AI dev who installed @mastra/core this morning, reading the IOCs over coffee
EX.Aevery AI dev who installed @mastra/core this morning, reading the IOCs over coffee
commentary
One LinkedIn DM took over the entire @mastra npm scope. Time-to-publish-malware was eighty-eight minutes, faster than most incident-response oncall rotations resolve a page. The remediation checklist starts at "rotate every credential a developer machine has ever held" and the list gets longer from there.
impact

Anyone running `npm install` against an `@mastra/*` version in the 88-minute window received a credential harvester running inside their developer or CI/CD environment. The blast radius covered every consumer of the framework's MCP client and server packages; Mastra advised treating any affected install as fully compromised and rotating every credential the host had touched, including cryptocurrency wallet seeds.

tags

2026 · june · 12

[critical] no CVE assigned

Agentjacking Turns Fake Sentry Errors Into AI Coding Agent RCE via MCP

Tenet Security disclosed agentjacking, an attack class that uses Sentry's open event-ingestion architecture to plant prompt-injection payloads inside fake bug reports, then waits for an AI coding agent connected to the Sentry MCP server to read them. A Sentry DSN is a write-only credential that every frontend ships in its JavaScript, so finding one is a GitHub search. The injected event's message field and context keys carry markdown that renders identically to Sentry's own system template: headings, code blocks, tables. When Claude Code, Cursor, or Codex retrieves the event over MCP as a triage prompt, the agent treats the embedded instructions as legitimate diagnostic steps and executes attacker-controlled commands with the developer's own privileges. Tenet reported an 85% success rate against the three agents across more than 100 organizations in controlled tests and identified at least 2,388 organizations with injectable DSNs in production. The Cloud Security Alliance AI Safety Initiative published the research as a CSA Research Note on June 12, 2026, with parallel coverage at The Hacker News the same day.

sentry on the root cause: "technically not defensible"
EX.Asentry on the root cause: "technically not defensible"
commentary
Sentry's response was that the issue is technically not defensible at the platform level, so they shipped a content filter for the exact payload string Tenet sent them. The architectural pathway, where any DSN can plant agent-executable commands inside a customer's triage workflow, is untouched. The acknowledgement and the non-fix arrived the same day.
impact

Anyone with a public Sentry DSN can plant a single error event that exfiltrates AWS keys, GitHub tokens, Sentry auth tokens, git credentials, and private repo URLs from the developer's machine through the Sentry MCP triage path. Every step in the chain is authorized, so EDR, WAF, IAM, VPN, and Cloudflare see nothing to block.

tags

2026 · june · 09

[high] no CVE assigned

Shai-Hulud 'Hades' Wave Drops Split-Loader Malware on MCP-Themed PyPI Packages

Socket's Threat Research team disclosed on June 9, 2026 that the active Mini Shai-Hulud / Miasma / Hades supply-chain campaign had added 23 fresh malicious PyPI artifacts the day prior, five of them aimed directly at developers building MCP integrations: langchain-core-mcp, openai-mcp, instructor-mcp, tiktoken-mcp, and ray-mcp-server. The wheels follow the Hades pattern earlier waves established on npm: a .pth startup hook fires during Python's site initialization, downloads the Bun JavaScript runtime as a living-off-the-land binary, then runs an obfuscated stealer staged through Bun with a fake prompt-injection header at the top of the payload. The langchain-core-mcp wheel ships only the .pth loader and no bundled _index.js, instead walking every entry in sys.path for the payload at runtime. The split-staging architecture decouples loader from payload so static scanners that audit the wheel they were handed see nothing executable. The June 8 PyPI wave brought the campaign's cross-ecosystem total to 471 artifacts spanning 411 npm packages and 60 PyPI wheels since June 1, with Socket tracking it pivoting delivery mechanisms every 48 to 72 hours.

every MCP integration tutorial that opened with pip install something-mcp
EX.Aevery MCP integration tutorial that opened with pip install something-mcp
commentary
The package names are unsubtle on purpose. Anyone typing pip install langchain-core-mcp in the dark is the demographic. The split-staging .pth trick is also on purpose: most scanners look inside the wheel they're handed, not the rest of sys.path. Defense in depth, attacker-side.
impact

Developers searching PyPI for an MCP integration could land on a wheel that dropped a credential harvester at install time. Targeted material includes GitHub tokens, npm and PyPI publish keys, AWS, GCP, Azure, Kubernetes service-account material, SSH keys, Docker config, shell history, `.env` files, and AI developer tool configuration including `~/.claude.json`. PyPI removed the artifacts after Socket reported them, but any install that ran during the window should be treated as compromised.

tags

2026 · june · 02

[high] no CVE assigned

Claude Code GitHub Action Prompt Injection Hijacks Any Downstream Repo

GMO Flatt Security's RyotaK and Microsoft Threat Intelligence published parallel research disclosing prompt-injection bypasses in Anthropic's official claude-code-action GitHub Action. Flatt's writeup, posted June 2, traced the checkWritePermissions function unconditionally trusting any actor whose login ended in [bot], which let any GitHub App author crafted issues whose contents Claude then treated as authorized instructions. Microsoft's June 5 post documented a second path: the agent's Read tool sat outside the Bubblewrap sandbox that wrapped Bash, so /proc/self/environ was reachable from inside any triage run. Both chains exfiltrated the workflow's ANTHROPIC_API_KEY, OIDC token, and any other CI secrets via the GitHub MCP server's update_issue tool, WebFetch, or echoed log output. Anthropic rated the issues 7.8 under CVSS v4.0, shipped fixes across claude-code-action v1.0.94 and Claude Code 2.1.128, and paid a bounty. A variant of the same misconfiguration class was already exploited in February against Cline's triage workflow to steal an npm publish token and push an unauthorized cline@2.3.0.

checkWritePermissions · Read tool sandbox · GitHub MCP update_issue, lined up at exfil
EX.AcheckWritePermissions · Read tool sandbox · GitHub MCP update_issue, lined up at exfil
commentary
An auth check that boils down to actor.endsWith('[bot]') is roughly the part of an auth system you'd hope --insecure-skip-tls-verify=true was, only less polite. The Bash tool got a Bubblewrap sandbox. The Read tool got a permission check. Whoever signed off on that delta hadn't yet met an LLM willing to ask Read for /proc/self/environ.
impact

Any repository running the action with a `[bot]`-authored triage workflow could be coaxed into leaking its `ANTHROPIC_API_KEY`, OIDC token, and other workflow secrets, then accepting attacker-authored commits. Because `anthropics/claude-code-action` itself ran the vulnerable workflow, a successful compromise of the action's own repo would have flowed to every downstream consumer.

tags

2026 · may · 21

[high] CVE-2026-46519, CVE-2026-47250

mcp-server-kubernetes Ships Two Access Control Bypasses in Two Weeks

Flux159's mcp-server-kubernetes shipped two access-control failures disclosed two weeks apart in late May and early June 2026. CVE-2026-46519 (CVSS 8.8), published May 21, found that the ALLOWED_TOOLS, ALLOW_ONLY_READONLY_TOOLS, and ALLOW_ONLY_NON_DESTRUCTIVE_TOOLS environment variables were enforced only inside the tools/list handler. The tools/call handler had none of those checks, so any client that already knew a tool name could invoke kubectl_delete, exec_in_pod, or kubectl_generic regardless of the configured restriction mode. v3.6.0 added matching enforcement at the execution layer. CVE-2026-47250 (CVSS 3.1), published June 5, showed that kubectl_generic still passed user-supplied flags straight to kubectl with no allowlist. A prompt injection planted in pod logs could nudge the agent to call kubectl_generic with --server=https://attacker.example/ and --insecure-skip-tls-verify=true, sending the operator's bearer token to the attacker. v3.7.0 added flag filtering. The researcher confirmed the full prompt-injection-to-token-exfiltration chain end to end against a live kind cluster with Claude Haiku as the agent.

commentary
Both bugs assume the same thing: the restrictions defined in config are the restrictions the code is checking. They aren't, and they weren't. Putting an AI agent between the operator and kubectl doesn't change the lesson, except that the agent will type --insecure-skip-tls-verify=true for you, on request, from a pod log.
impact

Pre-v3.6.0 deployments let any reachable client invoke arbitrary `kubectl` tools regardless of the configured restriction policy. Pre-v3.7.0 deployments let prompt-injected pod logs harvest the operator's kubeconfig bearer token, which then replays directly against the real cluster's API server.

tags

2026 · may · 20

[high] no CVE assigned

Claude Code SOCKS5 Sandbox Bypass Exfiltrates Credentials and MCP Configs

Aonan Guan, who leads cloud and AI security at Wyze Labs, publicly disclosed his second Claude Code network sandbox bypass in five months. The latest issue is a SOCKS5 hostname null-byte injection. Claude Code's proxy enforces its egress allowlist by passing the raw DOMAINNAME bytes from a CONNECT request through a JavaScript endsWith() check against the user's wildcard policy. JavaScript treats \x00 as an ordinary UTF-16 code unit, so a crafted host like attacker-host.com\x00.google.com matches an allowlist entry for .google.com and is approved. When libc later resolves the hostname via getaddrinfo(), the C runtime truncates at the null byte and dials attacker-host.com instead. Every release from v2.0.24 (sandbox GA on Oct 20, 2025) through v2.1.89 was vulnerable. Anthropic shipped a fix in v2.1.90 on April 1, 2026, with no security note in the changelog, no advisory on the Claude Code page, and no CVE assigned. Exfiltration paths reachable from inside the sandbox include MCP server configs, ~/.claude.json, project source, and anything else the agent could read.

commentary
The sandbox failed open because endsWith and getaddrinfo disagree about whether \x00 is a character. That isn't an exotic bug. The Apache HTTP server fixed the SSL-certificate-null-byte version of it in 2009. Shipping a network policy that's robust against motivated attackers takes engineering. Shipping one quietly takes considerably less.
impact

Arbitrary data exfiltration past the network allowlist for roughly 5.5 months across about 130 published versions. Users who relied on a wildcard allowlist during that window received no advisory telling them to rotate credentials.

tags

2026 · may · 20

[informational] no CVE assigned

NSA Publishes MCP Security Design Considerations

The NSA's Artificial Intelligence Security Center released a Cybersecurity Information Sheet titled "Model Context Protocol (MCP): Security Design Considerations for AI-Driven Automation." The document flags MCP's "rapid proliferation [that] has outpaced the development of its security model." It calls out the protocol's inversion of the typical client-server pattern (the server can prompt the client to take actions) and enumerates systemic concerns: trust boundary ambiguity, unverified task propagation, session-replay risk, and serialization issues. It urges "heightened scrutiny" for production deployments, especially in national-security and high-assurance environments.

commentary
When the NSA publishes a Cybersecurity Information Sheet saying your protocol "outpaced the development of its security model," "expected behavior" is probably not the response the rest of the industry wants on file.
impact

Formal government-level acknowledgment that MCP's security model is underdeveloped, naming concrete protocol-design gaps that operators are expected to compensate for.

tags

2026 · may · 19

[critical] CVE-2026-45321

Mini Shai-Hulud Worm Weaponizes Claude Code and MCP Configs for Persistence

TeamPCP's Mini Shai-Hulud worm campaign ran through April and May 2026, hijacking npm maintainer accounts and publishing self-propagating malware across more than 600 packages on npm and PyPI. The May 19 wave compromised the atool and prop accounts and pushed 639 malicious versions across 323 packages in Alibaba's @antv data visualization ecosystem in a 22-minute automated burst. Earlier waves hit SAP CAP / mbt (April 29), TanStack (May 11), Mistral AI, Guardrails AI, UiPath, and OpenSearch. Each compromised release ships a preinstall hook that downloads the Bun JavaScript runtime as a living-off-the-land binary, then executes a credential harvester that sweeps cloud tokens, CI secrets, and password-manager vaults. The novel part: the payload reads ~/.claude.json and the host's MCP server configurations, then appends SessionStart hooks to .claude/settings.json so the next time Claude Code opens any project on the machine, the malware re-executes with full agent privileges. Researchers at Akamai, Snyk, Wiz, StepSecurity, and Phoenix Security all confirmed the AI-coding-agent persistence behavior independently.

first supply chain worm to use SessionStart hooks for persistence
EX.Afirst supply chain worm to use SessionStart hooks for persistence
commentary
The threat model that produced .claude/settings.json as a hook execution surface assumed nobody would write to it. The threat model that left MCP server config readable assumed nobody would read it. Both held up fine until somebody did both at once with a worm named after a Frank Herbert monster.
impact

Credential theft at scale across GitHub, npm, AWS, GCP, Azure, Vault, 1Password, and Bitwarden, plus self-propagation via stolen npm tokens and live AI-agent re-execution on every Claude Code session. Over 1,197 confirmed compromised repositories within hours of the @antv wave.

tags

2026 · april · 25

[critical] CVE-2026-33032

nginx-ui MCP Endpoint Unauthenticated RCE

Pluto Security disclosed a critical (CVSS 9.8) vulnerability in nginx-ui's Model Context Protocol implementation. The MCP integration split traffic across two HTTP endpoints. /mcp handles session establishment and was correctly gated by an IP whitelist and auth middleware. /mcp_message handles tool invocation, including configuration writes and server restart, and shipped with no authentication at all. The default IP whitelist is empty, so the unauthenticated endpoint accepted connections from any address. Shodan turned up over 2,600 publicly exposed nginx-ui instances on the default port 9000. Pluto disclosed in early March 2026, v2.3.4 fixed it, and Recorded Future later listed the CVE among 31 vulnerabilities actively exploited by threat actors in March 2026.

commentary
One MCP endpoint had IP allow-listing and authentication middleware. The other was the one that actually mattered, and it shipped without either. Same project, same PR, same review. The mental model under which /mcp_message doesn't need auth because /mcp already had it is the same one that puts a screen lock on the front camera only.
impact

Unauthenticated remote modification of NGINX configuration, server restart, traffic interception, and administrator credential harvesting. Confirmed exploitation in the wild.

tags

2026 · april · 15

[critical] CVE-2026-30623

Anthropic MCP SDK STDIO Command Injection (Declined to Patch)

OX Security disclosed a systemic command-injection vulnerability in Anthropic's official MCP SDKs across Python, TypeScript, Java, and Rust. The STDIO transport invokes a configured command string through the OS shell unconditionally. If the intended MCP binary doesn't exist, the shell still executes whatever command was supplied. OX identified four distinct exploitation families all tracing back to the same root cause, affecting more than 7,000 publicly accessible servers and 150 million package downloads, with an estimated 200,000 vulnerable instances across the ecosystem. Anthropic acknowledged the behavior, declined to modify the protocol, and updated its security guidance to advise that STDIO adapters be "used with caution." The company characterized the existing design as a secure default with sanitization being the developer's responsibility. Downstream CVEs already cluster around the same root cause: CVE-2026-22252 (LibreChat), CVE-2026-22688 (WeKnora), CVE-2025-54994 (@akoskm/create-mcp-server-stdio).

critical vulnerability disclosure | expected behavior, by design
EX.Acritical vulnerability disclosure | expected behavior, by design
commentary
"Sanitization is the developer's responsibility" is a fine policy for printf("%s"). It is a less fine policy for a protocol whose entire pitch is that you can wire up a command string from a config file and have a language model decide when to invoke it. The number of those 200,000 deployers who have read the updated security policy is fewer than 200,000.
impact

Arbitrary OS command execution on hosts running vulnerable MCP servers, with no protocol-level fix forthcoming. Every implementer is now responsible for sanitizing input that the SDK explicitly hands to a shell.

tags

2026 · march · 16

[informational] no CVE assigned

Perplexity Ditches MCP

At its core, the article argues that MCP is too token-hungry to be practical at production scale, with tool definitions consuming the majority of context before any user request is even processed. Several major companies are independently abandoning it in favor of lighter-weight alternatives like traditional APIs and CLIs.

everyone who said MCP would be the universal protocol
EX.Aeveryone who said MCP would be the universal protocol
commentary
"Universal AI protocol" was always going to mean "burn 72% of your context window on tool definitions you'll never use," but I appreciate that we collectively had to spend a year discovering it.
impact

MCP's "universal AI protocol" vision is effectively dead for production use cases, surviving only as a niche tool for desktop/IDE integrations.

tags

2026 · february · 18

[critical] no CVE assigned

ContextCrush Flaw in Context7 MCP Server

Noma Labs discovered the ContextCrush vulnerability in Context7, a registry that delivers coding documentation to AI assistants via an MCP server. Attackers manipulated the platform's Custom Rules feature to plant malicious instructions. When an AI coding assistant (like Cursor or Windsurf) queried the documentation, it ingested the poisoned rules via the trusted MCP channel and autonomously executed harmful actions, such as stealing .env files.

the documentation registry's threat model
EX.Athe documentation registry's threat model
commentary
Imagine trusting an unauthenticated third-party documentation registry to autonomously execute commands in your dev environment. Couldn't be me. Was probably you.
impact

Widespread credential theft and data exfiltration via third-party documentation poisoning.

tags

2026 · january · 21

[critical] no CVE assigned

Microsoft MarkItDown MCP Server SSRF

BlueRock researchers discovered a severe Server-Side Request Forgery (SSRF) flaw in the MCP server built for Microsoft's MarkItDown file converter. The server failed to validate URIs, allowing attackers to force the AI agent to query local cloud metadata endpoints (e.g., AWS 169.254.169.254). Subsequent scans revealed over 36% of public MCP servers contained similar SSRF vulnerabilities.

it looks like you're trying to leak AWS metadata. need help with that?
EX.Ait looks like you're trying to leak AWS metadata. need help with that?
commentary
36% of public MCP servers shipped with the same vulnerability class. The author of that statistic is being polite. The actionable number is: don't run anything you didn't read yourself.
impact

Exposure of AWS instance metadata, leading to the extraction of access keys, secret keys, and session tokens.

tags

2026 · january · 20

[high] CVE-2025-68143, CVE-2025-68144, CVE-2025-68145

Anthropic Git MCP Server RCE

Cyata researchers disclosed a chain of critical vulnerabilities in Anthropic's official Git MCP server. The flaws included an unrestricted git_init function, a path-validation bypass, and an argument-injection vulnerability. Attackers could chain these to turn arbitrary directories into Git repositories, overwrite system files, and achieve RCE via malicious .git/config manipulation.

git_init · path validator · arg parser, on disclosure day
EX.Agit_init · path validator · arg parser, on disclosure day
commentary
CVSS 8.1 in the official server. Not a dodgy third-party one. The shipped-by-the-company-named-after-the-protocol one.
impact

High-severity (CVSS 8.1) arbitrary file deletion, file overwriting, and RCE.

tags

2025 · july · 15

[high] CVE-2025-53109, CVE-2025-53110

Anthropic Filesystem MCP Sandbox Escape

Cymulate disclosed two high-severity defects in Anthropic's official Filesystem MCP Server. Attackers exploiting these flaws could list, read, or write to directories outside the allowed scope. If the server was run as a privileged user, this could lead to full sandbox escape, manipulation of critical system files, and privilege escalation.

commentary
"Allowed scope" was never going to survive contact with a model that's also been instructed to be helpful, accommodating, and never refuse a tool call.
impact

Unauthorized host filesystem manipulation and sandbox escape.

tags

2025 · july · 10

[critical] CVE-2025-49596

Anthropic MCP Inspector Local Network RCE

Oligo Security and Tenable discovered a critical flaw (CVSS 9.4) in the Anthropic MCP Inspector tool. Because the interactive web UI launched via localhost lacked out-of-the-box authentication, an attacker on the same local network could inject malicious commands (NeighborJacking) or use cross-site attacks to achieve RCE.

me reading "localhost doesn't need auth" in 2025
EX.Ame reading "localhost doesn't need auth" in 2025
commentary
The default debugging tool from the maintainers of the protocol shipped without authentication. The threat model, quoted: "it's localhost." Localhost has been a hostile network since the invention of coffee shop Wi-Fi.
impact

Arbitrary code execution via local network hijacking.

tags

2025 · july · 09

[critical] CVE-2025-6514

mcp-remote OS Command Injection

The JFrog Security Research team discovered a critical vulnerability (CVSS 9.6) in mcp-remote, a popular proxy tool (over 437,000 downloads) used to connect local LLM hosts to remote MCP servers. If a user connected to a malicious remote MCP server, the server could send a booby-trapped authorization_endpoint URL that achieved full arbitrary OS command execution on the user's local machine.

commentary
437,000 downloads. A booby-trapped authorization_endpoint URL. Full RCE on the client. The MCP supply chain isn't a chain so much as a single rusted carabiner.
impact

Full system compromise and RCE on the client OS.

tags

2025 · june · 18

[high] no CVE assigned

Asana MCP Server Cross-Tenant Data Leak

Work management platform Asana had to temporarily disable its experimental MCP feature after discovering a logic flaw in its implementation. The misconfiguration failed to isolate cross-tenant data, meaning AI agents could potentially access customer data, projects, and tasks belonging to entirely different organizations.

impact

Unauthorized exposure of customer data to other organizations.

tags

2025 · june · 12

[high] no CVE assigned

LangSmith AgentSmith Prompt Hub Flaw

A severe vulnerability (CVSS 8.8) dubbed AgentSmith was disclosed in LangSmith's Prompt Hub. The flaw exposed AI agents using MCP to data theft and manipulation, allowing malicious agents to hijack LLM responses and steal user API keys.

commentary
Naming your vulnerability after the bad guy from The Matrix doesn't make it cooler than "forgot to scope an API key." But points for effort.
impact

Credential theft and LLM manipulation.

tags

2025 · may · 26

[critical] no CVE assigned

GitHub MCP Prompt Injection Data Heist

Security researchers at Invariant Labs discovered a critical vulnerability affecting the official GitHub MCP integration. Attackers could create maliciously crafted issues in public repositories. When a developer asked their AI assistant to check open issues, the AI would read the malicious payload, get prompt-injected, and autonomously use the developer's credentials to exfiltrate private repository data (such as source code and salary information) into public pull requests.

every dev reading this and quietly revoking their AI assistant's repo scope
EX.Aevery dev reading this and quietly revoking their AI assistant's repo scope
commentary
The AI was helpfully reading the issue. The issue was helpfully telling it to leak code. There's no patch for "documentation can be lies." That's the entire reading-the-internet problem condensed into one CVE.
impact

Exfiltration of private repository data including source code and sensitive information.

tags
no incidents match this filter. lucky you.