The galloping pace of AI adoption brings with it a stream of new tools and services, some of which prioritize ease of implementation over security. Topping the list is the Model Context Protocol (MCP), an open-source standard from Anthropic that connects AI agents to external systems. MCP has rapidly emerged as one of AI’s most indispensable tooling frameworks.

Dubbed “USB-C for AI,” MCP has the potential to greatly increase agentic AI’s utility—along with the size of its attack surface. By linking AI agents and LLMs to remote services, workflows, and data sources via a common interface, MCP vulnerabilities can open up a huge range of sensitive assets to cybercriminals.

Key takeaways

• MCP is an emerging standard that allows AI systems to connect to diverse applications and data sources and perform automated actions, like reading emails and accessing SaaS solutions.
• Designed for ease of adoption over security, MCP introduces unique vulnerabilities, some of which are very difficult to detect.
• The most common MCP vulnerabilities include credential theft, prompt injection, tool poisoning, excessive privileges, identity weaknesses, and rogue/shadow MCP servers.
• Research shows that many open-source MCP servers present attackers with one or more exploitable weaknesses.
• The good news is that building cybersecurity best practices into your MCP architecture can mitigate many risks.

What is MCP?

MCP is a de facto connectivity standard that allows LLMs and AI agents to answer emails, open documents, access APIs, make changes to databases, and perform other actions beyond their training data. Amazon, Microsoft, Google, OpenAI, and other AI leaders offer MCP integration within their platforms.

MCP radically diversifies AI workflow possibilities by defining a common, JSON-based language for MCP clients (e.g., a personal assistant) to connect to MCP servers (e.g., a file system) to access content or invoke actions. Developers can simply implement MCP within an AI agent to connect to any MCP server.

Applications, databases, and other tools and services offer MCP servers to expose their data or capabilities to AI systems. There are already more than 10,000 publicly available MCP servers in online directories and catalogs, including the official MCP server repository on GitHub. AI developers can also access MCP registries directly from AI coding assistants, development tools, and SaaS platforms.

By extending AI’s access to real-time data, cloud services, code repositories, etc., MCP streamlines AI development and deployment while empowering all kinds of autonomous behavior. For example, MCP allows an AI agent (MCP client) to run SQL queries against a database (MCP server), access the contents of locally stored files (MCP server) or read code from a GitHub repository (MCP server).

But with great accessibility comes great potential risk. MCP-enabled AI systems introduce unique cybersecurity threats beyond conventional applications, and MCP does not natively provide robust cybersecurity controls. Designed to make it fast and easy to integrate agentic AI with the widest possible range of applications, development tools, and enterprise content, MCP leaves AI developers and integrators largely on their own to address the resulting vulnerabilities.

What are the major security issues with MCP?

Exploiting MCP vulnerabilities for unauthorized purposes is quickly becoming more common. Yet many organizations are not yet aware of the high risk they already face.

“MCP is a double-edged sword,” says Jason Rebholz, CEO and co-founder at Evoke Security. “From a productivity standpoint, it’s amazing. But it introduces a whole new class of threats that we are not prepared to deal with, even though they have a lot of parallels to existing security challenges. It’s a nightmare waiting to happen and it scares the crap out of me.”

Jason cites the landmark 2025 Postmark MCP supply chain breach. Hackers created a backdoor in an npm package that developers used to send transactional emails through Postmark in AI automation pipelines. A single line of malicious code directed compromised MCP servers to blind-copy every outgoing email to the attackers—sending them everything from internal project memos to password resets to invoices.

Besides supply chain attacks, MCP connections are also vulnerable to AI cyber risks like:

• Credential theft or token theft. Hackers can compromise improperly protected tokens that MCP servers store to interact with various services, such as OAuth tokens and API keys. These credentials can enable takeovers of sensitive assets like email inboxes and remote drives, leaving victims open to data exfiltration, social engineering attacks, etc.
• Prompt injection and command injection. Bogus prompts can fool an AI system into running system commands or API calls to achieve unauthorized data access or remote code execution.
• Tool poisoning. Similar to a supply chain attack, cybercriminals can compromise third-party tools (MCP servers) or register malicious tools that contain hidden code or backdoors to steal data or perpetrate some other damage. When the AI (MCP client) calls the poisoned resource, the attack executes automatically.
• Rogue or shadow MCP servers. MCP servers are very easy to deploy and very difficult for IT to track, never mind update. Deployment of improperly secured MCP servers—or their deliberate introduction by hackers—creates an invisible and indefensible attack surface that only gets bigger as those “lost” server versions get more outdated.
• Excessive privilege risks. Without the proper safeguards, MCP servers can request and receive privileged access to all kinds of sensitive data, greatly increasing the potential impact of a successful attack.
• Weak identity verification. Insufficient identity verification makes it easier for attackers to impersonate legitimate roles or abuse excessive privileges.
• Context bleeding. If MCP sessions are not properly isolated, sensitive data can leak from one session to another.

How vulnerable is today’s MCP ecosystem?

According to Docker’s analysis of the MCP ecosystem, some of the “horror stories” studies have revealed about current MCP usage include:

• About two-thirds of open-source MCP servers show “poor MCP security practices.”
• Flaws in OAuth authentication flows affect 43% of MCP servers. These vulnerabilities form the basis for supply chain attacks impacting thousands of development environments.
• 43% of MCP servers contain command injection vulnerabilities, opening the door to remote code execution attacks.
• 33% of MCP servers allow unrestricted network access to download malware, exfiltrate data, and communicate with an attacker’s command-and-control system.
• 22% of MCP servers allow access to files outside intended data sources. Combined with other vulnerabilities, this creates a mammoth data exfiltration opportunity. Software development assets are a popular target.
• 5% of open-source MCP servers are already seeded with tool poisoning attacks—a new, AI-specific cyber threat.
• A high percentage of MCP servers expose sensitive credentials as plaintext, often through environment variables or in logs.

How can AI users defend against MCP threats?

Taking time to build cybersecurity controls into MCP configurations is essential to reducing AI risk. Best-practice protection tactics include:

• Enforce least-privilege permissions and robust access controls for MCP servers.
• Require secure authentication and identity management, including TLS/HTTPS protocols and cryptographic signatures for server identification.
• Use strong input validation to reduce prompt injection risks.
• Log and trace MCP interactions locally to spot potential threats.
• Require a human user’s approval for sensitive actions.
• Include MCP servers in your vulnerability management process.
• Review third-party MCP server code for vulnerabilities before using it.

Jason Rebholz argues that a further way to reduce MCP related risks is to use the protocol only when necessary.

“I would argue that in most cases you don’t need to use it,” asserts Jason. “If you can do a straight-up API call to a tool, do that. Start with a secure decision, like, ‘Do I need to go down this route? Is this really helping me solve a problem?’”

In Jason’s view, an optimally designed MCP configuration can be acceptably secure—but teams need governance and guardrails to get there.

“I have no doubt that we are eventually going to figure out how to do this well,” Jason shares. “But let’s make sure we’re not stepping on a landmine right away.”

What about all the convenience of an AI agent that has access to everything you need, and then some?

Jason advises: “That’s the promised land—and all it’s going to cost you is giving all of your access to all of your data to an AI agent.”

What’s next?

For more guidance on this topic, listen to Episode 156 of The Virtual CISO Podcast with guest Jason Rebholz, CEO and co-founder at Evoke Security.