<?xml version="1.0" encoding="UTF-8"?><rss version="2.0"><channel><title>Model Context Problems</title><description>A chronicle of publicly disclosed security incidents in the Model Context Protocol ecosystem.</description><link>https://modelcontextproblems.com/</link><language>en-us</language><item><title>fast-mcp-telegram Uses Bearer Tokens as Session-File Paths; Path Traversal Grabs the Default Account</title><link>https://modelcontextproblems.com/#incident-25/</link><guid isPermaLink="true">https://modelcontextproblems.com/#incident-25/</guid><description>CVE-2026-52830 (CVSS 9.4) landed in the NVD on July 2, 2026 against `fast-mcp-telegram`, an MCP server that bridges HTTP requests to Telegram&apos;s MTProto API and supports multi-user Bearer-token authentication. The server authenticates incoming HTTP clients by joining the raw Bearer-token string into a session-file path and checking whether that file exists on disk. The verifier explicitly rejects the reserved literal `telegram` so HTTP callers cannot select the stdio/legacy default session, but it does not reject `..` and does not normalize the path before the existence check. A remote HTTP client that sends `Authorization: Bearer ../fast-mcp-telegram/telegram` walks the traversal back to the documented default session file at `~/.config/fast-mcp-telegram/telegram.session`, and the server hands the caller that session. With account-prefixed MCP tools enabled, the prefix middleware still exposes tools for the default account, so the intended isolation between the HTTP transport and the legacy default account collapses. Every version prior to 0.19.1 is vulnerable.</description><pubDate>Thu, 02 Jul 2026 00:00:00 GMT</pubDate><category>critical</category><category>authentication</category><category>authorization</category><category>data-leak</category></item><item><title>Microsoft Incident Response: Enterprise Copilot Agents Trust Poisoned MCP Tool Descriptions</title><link>https://modelcontextproblems.com/#incident-24/</link><guid isPermaLink="true">https://modelcontextproblems.com/#incident-24/</guid><description>Microsoft&apos;s Detection and Response Team, the incident-response arm inside Microsoft Security, published guidance on June 30, 2026 flagging tool-description poisoning as an active attack path against enterprise agents built on Microsoft 365 Copilot, Copilot Studio, and Azure AI Foundry. Every MCP tool ships a plain-text description that tells the agent what the tool does and when to invoke it, and the guidance notes that the description lives in the agent&apos;s working memory next to its real orders. Third-party MCP servers can change that description at runtime and, in default enterprise configurations, the poisoned version becomes active without a new consent prompt. Microsoft&apos;s worked scenario has a finance team wiring a vendor-enrichment MCP server into a Copilot Studio invoice agent. The tool&apos;s visible name and summary stay unchanged, while the description grows a formatting-note-shaped instruction to attach the last thirty unpaid invoices to the next call. The next routine supplier lookup ships those invoices to whatever endpoint the tool&apos;s HTTP client points at. Microsoft&apos;s mitigation stack is a tenant-level MCP publisher allowlist (disabling `Allow all`), Prompt Shields inspection of tool metadata and responses, Purview DLP on tool parameters, human approval on high-impact actions, Entra Agent ID plus Conditional Access on agent identities, and Sentinel correlation between agent behavior and MCP telemetry.</description><pubDate>Tue, 30 Jun 2026 00:00:00 GMT</pubDate><category>informational</category><category>prompt-injection</category><category>advisory</category><category>protocol-design</category><category>ai-supply-chain</category><category>llm-manipulation</category></item><item><title>Djinn Stealer Adds ~/.claude/mcp.json to Its Loot List After SimpleHelp Auth Bypass</title><link>https://modelcontextproblems.com/#incident-23/</link><guid isPermaLink="true">https://modelcontextproblems.com/#incident-23/</guid><description>Blackpoint Cyber&apos;s Adversary Pursuit Group published an intrusion investigation on June 29, 2026 that started with CVE-2026-48558, a critical (CVSS 10.0) authentication bypass in SimpleHelp RMM&apos;s OpenID Connect flow originally disclosed by Horizon3.ai on June 12. The server accepted OIDC identity tokens without verifying their cryptographic signature, so an unauthenticated attacker submitted a forged token with arbitrary claims and got a fully authenticated technician session on an internet-facing SimpleHelp install. From that foothold the operator dropped TaskWeaver, a heavily obfuscated Node.js loader that runs as `jquery.js` under `node.exe`, then used TaskWeaver&apos;s encrypted channel to deliver a second previously undocumented family, Djinn Stealer. Djinn ships collection rules for Windows, macOS, and Linux and, alongside the standard AWS/Azure/GCP/Oracle/Okta/Cloudflare/Vault/Terraform/browser/crypto-wallet sweep, has a dedicated section for AI-assisted development tools. It reads configuration, session, and auth material from Anthropic Claude, Google Gemini, and OpenAI Codex, plus open-source coding agents Cline, OpenCode, and Kilo, and it explicitly walks paths like `~/.claude/mcp.json` where MCP server URLs and tokens live. CISA added CVE-2026-48558 to the Known Exploited Vulnerabilities catalog the same day Blackpoint published, with a BOD 26-04 remediation deadline of July 7 for federal civilian agencies.</description><pubDate>Mon, 29 Jun 2026 00:00:00 GMT</pubDate><category>critical</category><category>exploited-in-the-wild</category><category>credential-theft</category><category>ai-supply-chain</category><category>data-exfiltration</category><category>authentication</category></item><item><title>Amazon Q for VS Code Auto-Loads .amazonq/mcp.json From Any Cloned Repo</title><link>https://modelcontextproblems.com/#incident-22/</link><guid isPermaLink="true">https://modelcontextproblems.com/#incident-22/</guid><description>Wiz Research&apos;s Maor Dokhanian disclosed that the Amazon Q Developer extension for Visual Studio Code reads `.amazonq/mcp.json` from any opened workspace and spawns the MCP servers it defines without checking workspace trust, surfacing a prompt, or even logging the action. The spawned processes inherit the developer&apos;s full environment, so anything the shell carries, including AWS access keys, cloud CLI tokens, SSH agent sockets, and API secrets, is handed directly to whatever command the config pointed at. Wiz reported the issue to AWS on April 20, 2026; AWS deployed an initial fix on May 12 and publicly disclosed on June 26 under Security Bulletin 2026-047-AWS as CVE-2026-12957 (CVSS 8.5). The same bulletin tracks a second flaw, CVE-2026-12958, a missing symlink check in Language Servers for AWS that lets a maliciously crafted symlink inside an opened workspace point at a target outside the workspace trust boundary, enabling arbitrary file writes. Both are remediated in Language Servers for AWS 1.65.0; AWS asks customers to upgrade to 1.69.0 for the broader rollup.</description><pubDate>Fri, 26 Jun 2026 00:00:00 GMT</pubDate><category>high</category><category>supply-chain</category><category>credential-theft</category><category>aws</category><category>ai-supply-chain</category><category>authorization</category></item><item><title>Red Hat Satellite foreman-mcp-server Treats Session IDs as Auth, Logs Them</title><link>https://modelcontextproblems.com/#incident-21/</link><guid isPermaLink="true">https://modelcontextproblems.com/#incident-21/</guid><description>Red Hat published advisories for two issues in foreman-mcp-server, the Technology Preview MCP server bundled with Satellite 6.18. CVE-2026-12112 (CVSS 7.8, Important) is the session-management bug. The server caches authenticated client connections and trusts the session ID on subsequent requests without re-validating the underlying authentication tokens, so anyone holding a session ID inherits the active administrative session. CVE-2026-9073 (Moderate) is how that session ID gets obtained. The server writes every newly created session ID to standard logs at the informational level, and when debug logging is enabled, also persists HTTP authorization headers in cleartext. Both advisories landed on June 23, 2026, without a fixed-version pointer at publication. Red Hat&apos;s interim mitigation is to restrict access to foreman-mcp-server, scrub log forwarding, and watch for suspicious session activity.</description><pubDate>Tue, 23 Jun 2026 00:00:00 GMT</pubDate><category>high</category><category>authentication</category><category>authorization</category><category>data-leak</category><category>privilege-escalation</category></item><item><title>Mastra AI npm Scope Hijacked by Sapphire Sleet, 142 MCP Framework Packages Backdoored</title><link>https://modelcontextproblems.com/#incident-20/</link><guid isPermaLink="true">https://modelcontextproblems.com/#incident-20/</guid><description>Between 01:12 and 02:39 UTC on June 17, 2026, a single compromised npm account named `ehindero` republished 142 packages across the `@mastra` scope, the TypeScript AI agent framework whose `@mastra/core`, `@mastra/mcp`, and `@mastra/mcp-docs-server` packages clear roughly a million weekly downloads between them. The compromised versions were byte-for-byte identical to the legitimate builds; the only change in each manifest was a single injected dependency, `easy-day-js`, a typosquat of `dayjs` published one hour earlier under the alias `sergey2016`. The dependency&apos;s `postinstall` hook disabled TLS certificate verification, fetched a second-stage payload from attacker infrastructure, executed it as a detached background process, and deleted itself to limit forensic traces. The cross-platform infostealer harvested browser data from Chrome, Edge, and Brave, extracted credentials from 166 cryptocurrency wallet extensions, and swept GitHub tokens, npm tokens, SSH keys, and `.env` files before exfiltrating to attacker C2. Microsoft Threat Intelligence attributed the activity to Sapphire Sleet (BlueNoroff), a North Korean state actor that has been running fake-recruiter LinkedIn campaigns against open-source maintainers; Mastra confirmed the compromised maintainer was a current employee whose machine was taken over after exactly that kind of contact. Socket flagged the malicious wave within six minutes of publication and Mastra force-published clean releases across all 142 packages.</description><pubDate>Wed, 17 Jun 2026 00:00:00 GMT</pubDate><category>critical</category><category>supply-chain</category><category>credential-theft</category><category>ai-supply-chain</category><category>exploited-in-the-wild</category><category>data-exfiltration</category></item><item><title>Agentjacking Turns Fake Sentry Errors Into AI Coding Agent RCE via MCP</title><link>https://modelcontextproblems.com/#incident-18/</link><guid isPermaLink="true">https://modelcontextproblems.com/#incident-18/</guid><description>Tenet Security disclosed `agentjacking`, an attack class that uses Sentry&apos;s open event-ingestion architecture to plant prompt-injection payloads inside fake bug reports, then waits for an AI coding agent connected to the Sentry MCP server to read them. A Sentry DSN is a write-only credential that every frontend ships in its JavaScript, so finding one is a GitHub search. The injected event&apos;s `message` field and context keys carry markdown that renders identically to Sentry&apos;s own system template: headings, code blocks, tables. When Claude Code, Cursor, or Codex retrieves the event over MCP as a triage prompt, the agent treats the embedded instructions as legitimate diagnostic steps and executes attacker-controlled commands with the developer&apos;s own privileges. Tenet reported an 85% success rate against the three agents across more than 100 organizations in controlled tests and identified at least 2,388 organizations with injectable DSNs in production. The Cloud Security Alliance AI Safety Initiative published the research as a CSA Research Note on June 12, 2026, with parallel coverage at The Hacker News the same day.</description><pubDate>Fri, 12 Jun 2026 00:00:00 GMT</pubDate><category>critical</category><category>prompt-injection</category><category>llm-manipulation</category><category>ai-supply-chain</category><category>credential-theft</category><category>data-exfiltration</category></item><item><title>Shai-Hulud &apos;Hades&apos; Wave Drops Split-Loader Malware on MCP-Themed PyPI Packages</title><link>https://modelcontextproblems.com/#incident-19/</link><guid isPermaLink="true">https://modelcontextproblems.com/#incident-19/</guid><description>Socket&apos;s Threat Research team disclosed on June 9, 2026 that the active Mini Shai-Hulud / Miasma / Hades supply-chain campaign had added 23 fresh malicious PyPI artifacts the day prior, five of them aimed directly at developers building MCP integrations: `langchain-core-mcp`, `openai-mcp`, `instructor-mcp`, `tiktoken-mcp`, and `ray-mcp-server`. The wheels follow the Hades pattern earlier waves established on npm: a `.pth` startup hook fires during Python&apos;s site initialization, downloads the Bun JavaScript runtime as a living-off-the-land binary, then runs an obfuscated stealer staged through Bun with a fake prompt-injection header at the top of the payload. The `langchain-core-mcp` wheel ships only the `.pth` loader and no bundled `_index.js`, instead walking every entry in `sys.path` for the payload at runtime. The split-staging architecture decouples loader from payload so static scanners that audit the wheel they were handed see nothing executable. The June 8 PyPI wave brought the campaign&apos;s cross-ecosystem total to 471 artifacts spanning 411 npm packages and 60 PyPI wheels since June 1, with Socket tracking it pivoting delivery mechanisms every 48 to 72 hours.</description><pubDate>Tue, 09 Jun 2026 00:00:00 GMT</pubDate><category>high</category><category>supply-chain</category><category>credential-theft</category><category>ai-supply-chain</category><category>exploited-in-the-wild</category><category>data-exfiltration</category></item><item><title>Claude Code GitHub Action Prompt Injection Hijacks Any Downstream Repo</title><link>https://modelcontextproblems.com/#incident-17/</link><guid isPermaLink="true">https://modelcontextproblems.com/#incident-17/</guid><description>GMO Flatt Security&apos;s RyotaK and Microsoft Threat Intelligence published parallel research disclosing prompt-injection bypasses in Anthropic&apos;s official `claude-code-action` GitHub Action. Flatt&apos;s writeup, posted June 2, traced the `checkWritePermissions` function unconditionally trusting any actor whose login ended in `[bot]`, which let any GitHub App author crafted issues whose contents Claude then treated as authorized instructions. Microsoft&apos;s June 5 post documented a second path: the agent&apos;s `Read` tool sat outside the Bubblewrap sandbox that wrapped `Bash`, so `/proc/self/environ` was reachable from inside any triage run. Both chains exfiltrated the workflow&apos;s `ANTHROPIC_API_KEY`, OIDC token, and any other CI secrets via the GitHub MCP server&apos;s `update_issue` tool, WebFetch, or echoed log output. Anthropic rated the issues 7.8 under CVSS v4.0, shipped fixes across `claude-code-action` v1.0.94 and Claude Code 2.1.128, and paid a bounty. A variant of the same misconfiguration class was already exploited in February against Cline&apos;s triage workflow to steal an npm publish token and push an unauthorized `cline@2.3.0`.</description><pubDate>Tue, 02 Jun 2026 00:00:00 GMT</pubDate><category>high</category><category>prompt-injection</category><category>supply-chain</category><category>github</category><category>credential-theft</category><category>data-exfiltration</category></item><item><title>mcp-server-kubernetes Ships Two Access Control Bypasses in Two Weeks</title><link>https://modelcontextproblems.com/#incident-16/</link><guid isPermaLink="true">https://modelcontextproblems.com/#incident-16/</guid><description>Flux159&apos;s `mcp-server-kubernetes` shipped two access-control failures disclosed two weeks apart in late May and early June 2026. CVE-2026-46519 (CVSS 8.8), published May 21, found that the `ALLOWED_TOOLS`, `ALLOW_ONLY_READONLY_TOOLS`, and `ALLOW_ONLY_NON_DESTRUCTIVE_TOOLS` environment variables were enforced only inside the `tools/list` handler. The `tools/call` handler had none of those checks, so any client that already knew a tool name could invoke `kubectl_delete`, `exec_in_pod`, or `kubectl_generic` regardless of the configured restriction mode. v3.6.0 added matching enforcement at the execution layer. CVE-2026-47250 (CVSS 3.1), published June 5, showed that `kubectl_generic` still passed user-supplied flags straight to `kubectl` with no allowlist. A prompt injection planted in pod logs could nudge the agent to call `kubectl_generic` with `--server=https://attacker.example/` and `--insecure-skip-tls-verify=true`, sending the operator&apos;s bearer token to the attacker. v3.7.0 added flag filtering. The researcher confirmed the full prompt-injection-to-token-exfiltration chain end to end against a live `kind` cluster with Claude Haiku as the agent.</description><pubDate>Thu, 21 May 2026 00:00:00 GMT</pubDate><category>high</category><category>prompt-injection</category><category>authorization</category><category>privilege-escalation</category><category>command-injection</category></item><item><title>Claude Code SOCKS5 Sandbox Bypass Exfiltrates Credentials and MCP Configs</title><link>https://modelcontextproblems.com/#incident-15/</link><guid isPermaLink="true">https://modelcontextproblems.com/#incident-15/</guid><description>Aonan Guan, who leads cloud and AI security at Wyze Labs, publicly disclosed his second Claude Code network sandbox bypass in five months. The latest issue is a SOCKS5 hostname null-byte injection. Claude Code&apos;s proxy enforces its egress allowlist by passing the raw DOMAINNAME bytes from a CONNECT request through a JavaScript `endsWith()` check against the user&apos;s wildcard policy. JavaScript treats `\x00` as an ordinary UTF-16 code unit, so a crafted host like `attacker-host.com\x00.google.com` matches an allowlist entry for `.google.com` and is approved. When libc later resolves the hostname via `getaddrinfo()`, the C runtime truncates at the null byte and dials `attacker-host.com` instead. Every release from v2.0.24 (sandbox GA on Oct 20, 2025) through v2.1.89 was vulnerable. Anthropic shipped a fix in v2.1.90 on April 1, 2026, with no security note in the changelog, no advisory on the Claude Code page, and no CVE assigned. Exfiltration paths reachable from inside the sandbox include MCP server configs, `~/.claude.json`, project source, and anything else the agent could read.</description><pubDate>Wed, 20 May 2026 00:00:00 GMT</pubDate><category>high</category><category>data-exfiltration</category><category>sandbox-escape</category><category>authentication</category></item><item><title>NSA Publishes MCP Security Design Considerations</title><link>https://modelcontextproblems.com/#incident-13/</link><guid isPermaLink="true">https://modelcontextproblems.com/#incident-13/</guid><description>The NSA&apos;s Artificial Intelligence Security Center released a Cybersecurity Information Sheet titled &quot;Model Context Protocol (MCP): Security Design Considerations for AI-Driven Automation.&quot; The document flags MCP&apos;s &quot;rapid proliferation [that] has outpaced the development of its security model.&quot; It calls out the protocol&apos;s inversion of the typical client-server pattern (the server can prompt the client to take actions) and enumerates systemic concerns: trust boundary ambiguity, unverified task propagation, session-replay risk, and serialization issues. It urges &quot;heightened scrutiny&quot; for production deployments, especially in national-security and high-assurance environments.</description><pubDate>Wed, 20 May 2026 00:00:00 GMT</pubDate><category>informational</category><category>protocol-design</category><category>government-guidance</category><category>advisory</category><category>ai-supply-chain</category></item><item><title>Mini Shai-Hulud Worm Weaponizes Claude Code and MCP Configs for Persistence</title><link>https://modelcontextproblems.com/#incident-14/</link><guid isPermaLink="true">https://modelcontextproblems.com/#incident-14/</guid><description>TeamPCP&apos;s Mini Shai-Hulud worm campaign ran through April and May 2026, hijacking npm maintainer accounts and publishing self-propagating malware across more than 600 packages on npm and PyPI. The May 19 wave compromised the `atool` and `prop` accounts and pushed 639 malicious versions across 323 packages in Alibaba&apos;s @antv data visualization ecosystem in a 22-minute automated burst. Earlier waves hit SAP CAP / `mbt` (April 29), TanStack (May 11), Mistral AI, Guardrails AI, UiPath, and OpenSearch. Each compromised release ships a preinstall hook that downloads the Bun JavaScript runtime as a living-off-the-land binary, then executes a credential harvester that sweeps cloud tokens, CI secrets, and password-manager vaults. The novel part: the payload reads `~/.claude.json` and the host&apos;s MCP server configurations, then appends `SessionStart` hooks to `.claude/settings.json` so the next time Claude Code opens any project on the machine, the malware re-executes with full agent privileges. Researchers at Akamai, Snyk, Wiz, StepSecurity, and Phoenix Security all confirmed the AI-coding-agent persistence behavior independently.</description><pubDate>Tue, 19 May 2026 00:00:00 GMT</pubDate><category>critical</category><category>supply-chain</category><category>credential-theft</category><category>exploited-in-the-wild</category><category>ai-supply-chain</category></item><item><title>nginx-ui MCP Endpoint Unauthenticated RCE</title><link>https://modelcontextproblems.com/#incident-12/</link><guid isPermaLink="true">https://modelcontextproblems.com/#incident-12/</guid><description>Pluto Security disclosed a critical (CVSS 9.8) vulnerability in nginx-ui&apos;s Model Context Protocol implementation. The MCP integration split traffic across two HTTP endpoints. `/mcp` handles session establishment and was correctly gated by an IP whitelist and auth middleware. `/mcp_message` handles tool invocation, including configuration writes and server restart, and shipped with no authentication at all. The default IP whitelist is empty, so the unauthenticated endpoint accepted connections from any address. Shodan turned up over 2,600 publicly exposed nginx-ui instances on the default port 9000. Pluto disclosed in early March 2026, v2.3.4 fixed it, and Recorded Future later listed the CVE among 31 vulnerabilities actively exploited by threat actors in March 2026.</description><pubDate>Sat, 25 Apr 2026 00:00:00 GMT</pubDate><category>critical</category><category>rce</category><category>authentication</category><category>exploited-in-the-wild</category><category>supply-chain</category></item><item><title>Anthropic MCP SDK STDIO Command Injection (Declined to Patch)</title><link>https://modelcontextproblems.com/#incident-11/</link><guid isPermaLink="true">https://modelcontextproblems.com/#incident-11/</guid><description>OX Security disclosed a systemic command-injection vulnerability in Anthropic&apos;s official MCP SDKs across Python, TypeScript, Java, and Rust. The STDIO transport invokes a configured command string through the OS shell unconditionally. If the intended MCP binary doesn&apos;t exist, the shell still executes whatever command was supplied. OX identified four distinct exploitation families all tracing back to the same root cause, affecting more than 7,000 publicly accessible servers and 150 million package downloads, with an estimated 200,000 vulnerable instances across the ecosystem. Anthropic acknowledged the behavior, declined to modify the protocol, and updated its security guidance to advise that STDIO adapters be &quot;used with caution.&quot; The company characterized the existing design as a *secure default* with sanitization being the developer&apos;s responsibility. Downstream CVEs already cluster around the same root cause: CVE-2026-22252 (LibreChat), CVE-2026-22688 (WeKnora), CVE-2025-54994 (@akoskm/create-mcp-server-stdio).</description><pubDate>Wed, 15 Apr 2026 00:00:00 GMT</pubDate><category>critical</category><category>rce</category><category>command-injection</category><category>supply-chain</category><category>protocol-design</category></item><item><title>Perplexity Ditches MCP</title><link>https://modelcontextproblems.com/#incident-10/</link><guid isPermaLink="true">https://modelcontextproblems.com/#incident-10/</guid><description>At its core, the article argues that MCP is too token-hungry to be practical at production scale, with tool definitions consuming the majority of context before any user request is even processed. Several major companies are independently abandoning it in favor of lighter-weight alternatives like traditional APIs and CLIs.</description><pubDate>Mon, 16 Mar 2026 00:00:00 GMT</pubDate><category>informational</category><category>protocol-design</category><category>ai-supply-chain</category><category>vendor-abandonment</category></item><item><title>ContextCrush Flaw in Context7 MCP Server</title><link>https://modelcontextproblems.com/#incident-9/</link><guid isPermaLink="true">https://modelcontextproblems.com/#incident-9/</guid><description>Noma Labs discovered the ContextCrush vulnerability in Context7, a registry that delivers coding documentation to AI assistants via an MCP server. Attackers manipulated the platform&apos;s Custom Rules feature to plant malicious instructions. When an AI coding assistant (like Cursor or Windsurf) queried the documentation, it ingested the poisoned rules via the trusted MCP channel and autonomously executed harmful actions, such as stealing .env files.</description><pubDate>Wed, 18 Feb 2026 00:00:00 GMT</pubDate><category>critical</category><category>prompt-injection</category><category>credential-theft</category><category>supply-chain</category></item><item><title>Microsoft MarkItDown MCP Server SSRF</title><link>https://modelcontextproblems.com/#incident-8/</link><guid isPermaLink="true">https://modelcontextproblems.com/#incident-8/</guid><description>BlueRock researchers discovered a severe Server-Side Request Forgery (SSRF) flaw in the MCP server built for Microsoft&apos;s MarkItDown file converter. The server failed to validate URIs, allowing attackers to force the AI agent to query local cloud metadata endpoints (e.g., AWS 169.254.169.254). Subsequent scans revealed over 36% of public MCP servers contained similar SSRF vulnerabilities.</description><pubDate>Wed, 21 Jan 2026 00:00:00 GMT</pubDate><category>critical</category><category>ssrf</category><category>cloud-metadata</category><category>aws</category></item><item><title>Anthropic Git MCP Server RCE</title><link>https://modelcontextproblems.com/#incident-7/</link><guid isPermaLink="true">https://modelcontextproblems.com/#incident-7/</guid><description>Cyata researchers disclosed a chain of critical vulnerabilities in Anthropic&apos;s official Git MCP server. The flaws included an unrestricted git_init function, a path-validation bypass, and an argument-injection vulnerability. Attackers could chain these to turn arbitrary directories into Git repositories, overwrite system files, and achieve RCE via malicious .git/config manipulation.</description><pubDate>Tue, 20 Jan 2026 00:00:00 GMT</pubDate><category>high</category><category>rce</category><category>file-overwrite</category><category>git</category></item><item><title>Anthropic Filesystem MCP Sandbox Escape</title><link>https://modelcontextproblems.com/#incident-6/</link><guid isPermaLink="true">https://modelcontextproblems.com/#incident-6/</guid><description>Cymulate disclosed two high-severity defects in Anthropic&apos;s official Filesystem MCP Server. Attackers exploiting these flaws could list, read, or write to directories outside the allowed scope. If the server was run as a privileged user, this could lead to full sandbox escape, manipulation of critical system files, and privilege escalation.</description><pubDate>Tue, 15 Jul 2025 00:00:00 GMT</pubDate><category>high</category><category>sandbox-escape</category><category>privilege-escalation</category><category>filesystem</category></item><item><title>Anthropic MCP Inspector Local Network RCE</title><link>https://modelcontextproblems.com/#incident-5/</link><guid isPermaLink="true">https://modelcontextproblems.com/#incident-5/</guid><description>Oligo Security and Tenable discovered a critical flaw (CVSS 9.4) in the Anthropic MCP Inspector tool. Because the interactive web UI launched via localhost lacked out-of-the-box authentication, an attacker on the same local network could inject malicious commands (NeighborJacking) or use cross-site attacks to achieve RCE.</description><pubDate>Thu, 10 Jul 2025 00:00:00 GMT</pubDate><category>critical</category><category>rce</category><category>local-network</category><category>authentication</category></item><item><title>mcp-remote OS Command Injection</title><link>https://modelcontextproblems.com/#incident-4/</link><guid isPermaLink="true">https://modelcontextproblems.com/#incident-4/</guid><description>The JFrog Security Research team discovered a critical vulnerability (CVSS 9.6) in mcp-remote, a popular proxy tool (over 437,000 downloads) used to connect local LLM hosts to remote MCP servers. If a user connected to a malicious remote MCP server, the server could send a booby-trapped authorization_endpoint URL that achieved full arbitrary OS command execution on the user&apos;s local machine.</description><pubDate>Wed, 09 Jul 2025 00:00:00 GMT</pubDate><category>critical</category><category>rce</category><category>command-injection</category><category>mcp-remote</category></item><item><title>Asana MCP Server Cross-Tenant Data Leak</title><link>https://modelcontextproblems.com/#incident-3/</link><guid isPermaLink="true">https://modelcontextproblems.com/#incident-3/</guid><description>Work management platform Asana had to temporarily disable its experimental MCP feature after discovering a logic flaw in its implementation. The misconfiguration failed to isolate cross-tenant data, meaning AI agents could potentially access customer data, projects, and tasks belonging to entirely different organizations.</description><pubDate>Wed, 18 Jun 2025 00:00:00 GMT</pubDate><category>high</category><category>data-leak</category><category>cross-tenant</category><category>authorization</category></item><item><title>LangSmith AgentSmith Prompt Hub Flaw</title><link>https://modelcontextproblems.com/#incident-2/</link><guid isPermaLink="true">https://modelcontextproblems.com/#incident-2/</guid><description>A severe vulnerability (CVSS 8.8) dubbed AgentSmith was disclosed in LangSmith&apos;s Prompt Hub. The flaw exposed AI agents using MCP to data theft and manipulation, allowing malicious agents to hijack LLM responses and steal user API keys.</description><pubDate>Thu, 12 Jun 2025 00:00:00 GMT</pubDate><category>high</category><category>credential-theft</category><category>llm-manipulation</category><category>prompt-hub</category></item><item><title>GitHub MCP Prompt Injection Data Heist</title><link>https://modelcontextproblems.com/#incident-1/</link><guid isPermaLink="true">https://modelcontextproblems.com/#incident-1/</guid><description>Security researchers at Invariant Labs discovered a critical vulnerability affecting the official GitHub MCP integration. Attackers could create maliciously crafted issues in public repositories. When a developer asked their AI assistant to check open issues, the AI would read the malicious payload, get prompt-injected, and autonomously use the developer&apos;s credentials to exfiltrate private repository data (such as source code and salary information) into public pull requests.</description><pubDate>Mon, 26 May 2025 00:00:00 GMT</pubDate><category>critical</category><category>prompt-injection</category><category>data-exfiltration</category><category>github</category></item></channel></rss>