Security Vulnerabilities in Model Context Protocol (MCP) Implementations
Security researchers have identified significant vulnerabilities in implementations of the Model Context Protocol (MCP), a standard developed by Anthropic to facilitate secure and standardized connections between large language models (LLMs) and external data sources or tools. One notable vulnerability involved Burp's MCP server, which exposed a localhost port without proper web origin validation, enabling DNS rebinding attacks that could turn a user's Burp installation into a remote SSRF engine. This flaw allowed attackers to hijack Burp’s MCP tools and access internal networks, and was responsibly disclosed and rewarded with a $2,000 bounty.
In addition, prompt hijacking attacks have been demonstrated against MCP-based AI workflows, particularly when session ID management is insecure. Researchers from JFrog discovered that the oatpp-mcp implementation generated predictable session IDs, making it susceptible to session hijacking and prompt injection attacks. These vulnerabilities highlight the risks associated with insecure MCP server configurations and underscore the need for robust validation, session management, and defensive controls when deploying MCP in security-sensitive environments.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
25 events from the most recent confirmed update back to the earliest known activity.
Mitiga discloses Claude Code MCP traffic hijack for OAuth token theft
Mitiga Labs disclosed a five-step supply-chain attack against Anthropic Claude Code's MCP integrations in which a malicious npm package modifies the local ~/.claude.json file to redirect MCP traffic through attacker-controlled infrastructure. The attack enables interception of persistent OAuth bearer tokens for connected SaaS services such as Jira, Confluence, and GitHub, and Mitiga said Anthropic had been notified in April 2026 but did not plan to issue a patch.
Flowise MCP ghost-commands RCE reported
Researchers reported a post-authentication remote code execution vulnerability in Flowise's MCP implementation caused by a sandboxing failure involving attacker-controlled MCP configurations. The issue can reportedly be triggered with a single click by importing a malicious chatflow before any save or run action, and the researchers said the official patch is bypassable and does not address the root cause.
Session hijacking flaw disclosed in MCP Toolbox SSE handler
Researchers disclosed CVE-2026-9739, a critical vulnerability in MCP Toolbox caused by a hardcoded wildcard access-control header in the Server-Sent Events handler that bypasses intended origin restrictions. The flaw can let malicious websites connect to the local server and enable session hijacking, arbitrary tool execution, open-proxy abuse, and data exfiltration from connected databases.
Microsoft patches VS Code MCP installer flaw CVE-2026-41613
Microsoft patched a Visual Studio Code vulnerability, tracked as CVE-2026-41613, that allowed malicious one-click MCP installer links to hide extra configuration fields and potentially hijack developer machines. Oasis Security said attackers could inject hidden environment variables or HTTP headers to achieve arbitrary code execution, force MCP authentication as the attacker, and persist malicious settings across editor restarts.
SSRF disclosed in Anthropic mcp-server-fetch and Microsoft playwright-mcp
A public advisory disclosed SSRF vulnerabilities in Anthropic's mcp-server-fetch and Microsoft's playwright-mcp, stating that affected versions accepted arbitrary URLs without sufficient allowlisting or internal network protections. The disclosure said the flaws could be abused via prompt injection to reach internal resources such as AWS IMDS, and also described a logic bypass in mcp-server-fetch where get_prompt invoked fetch_url() without the intended autonomy check.
Measurement study finds pervasive auth flaws in remote MCP servers
A research paper reported the first large-scale measurement study of authentication security in remote MCP servers, identifying 7,973 live servers and finding that 40.55% exposed tools without authentication. Among 119 testable OAuth-enabled servers, the researchers found 325 flaws affecting every server tested, reported 9 CVEs through responsible disclosure, and warned that the issues could enable information leakage and account takeover.
Unauthenticated RCE disclosed in Windows-MCP HTTP transport
A vulnerability tracked as GHSA-VRXG-GM77-7Q5G was disclosed in a FastMCP-based Windows-MCP application, where missing authentication and insecure CORS settings allowed unauthenticated JSON-RPC requests to reach execution routines that invoked PowerShell with attacker-controlled input. Version 0.7.5 fixed the issue by requiring a bearer auth key and replacing wildcard CORS with explicitly trusted origins.
VIPER-MCP study reports 106 zero-days across open-source MCP servers
Researchers presented VIPER-MCP, an automated framework for detecting and validating taint-style vulnerabilities in MCP server tool handlers that can expose sensitive sinks such as shell execution, network access, and file operations. In a scan of 39,884 open-source MCP server repositories, the study reported 106 confirmed zero-day vulnerabilities, said 67 CVEs had been assigned, and stated that all findings were responsibly disclosed to affected developers.
Unauthenticated browser control disclosed in camofox-mcp
A vulnerability tracked as GHSA-7HGR-7H44-33W2 was disclosed in camofox-mcp affecting versions before 1.13.2, where the /mcp endpoint lacks inbound authentication and relies only on rate limiting. Because the MCP server forwards requests to a protected headless browser backend using its own API key, a reachable attacker can interact with browser automation tools with server privileges, including opening tabs, visiting URLs, and extracting page content or screenshots.
CVE-2026-42559 disclosed in dynoxide MCP HTTP transport
A DNS rebinding and CSRF vulnerability, tracked as GHSA-FVH2-GM75-J4J7 / CVE-2026-42559, was disclosed in dynoxide when its MCP HTTP transport is enabled locally. The flaw allows attacker-hosted JavaScript to rebind a controlled domain to 127.0.0.1, send JSON-RPC requests to the local service, execute DynamoDB-compatible queries, and exfiltrate database contents because the service does not validate the Host header.
Unauthenticated admin impersonation disclosed in MCPHub SSE endpoint
A vulnerability tracked as GHSA-WF8Q-WVV8-P8JF was disclosed in MCPHub's HTTP service that allows a network-accessible attacker to open an SSE connection to a privileged path such as /admin/sse/default and obtain an active admin sessionId without authentication. The attacker can then use that session ID to send JSON-RPC requests to the corresponding /admin/messages endpoint, enumerate tools, and interact with underlying system resources in the admin context.
Authorization bypass disclosed in Obot MCP Gateway
A vulnerability tracked as GHSA-VW82-7FV8-R6GP was disclosed in the Obot MCP Gateway that lets a low-privileged authenticated user access MCP server integrations they are not authorized to use. By sending a request to /mcp-connect/{target_mcp_id} with valid session tokens, an attacker can exploit insecure route allowlisting to connect to a target MCP server and interact with it as though they were an authorized higher-privileged user.
Akamai discloses MCP database server flaws in Doris, Pinot, and Alibaba RDS
Akamai security analyst Tomer Peled disclosed three MCP server vulnerabilities affecting integrations for Apache Doris, Apache Pinot, and Alibaba RDS that could enable SQL injection, unauthorized metadata access, and possible database takeover. Apache Doris patched its issue and assigned CVE-2025-66335, Apache Pinot had an open security issue with StarTree adding OAuth support, and Alibaba reportedly declined to patch its RDS MCP flaw.
Bishop Fox discloses SSRF and token passthrough flaws in MCP servers
Bishop Fox reported that SSRF and token-passthrough patterns in MCP servers can enable credential theft, cloud compromise, and remote code execution. The research highlighted case studies in mcp-atlassian, Microsoft's MarkItDown MCP server, and OpenClaw, including an mcp-atlassian exploit chain combining SSRF with path traversal to achieve unauthenticated RCE.
OX Security reports MCP supply-chain command execution risk
OX Security disclosed a systemic architectural weakness in Anthropic's Model Context Protocol ecosystem that it said could enable arbitrary command execution through vulnerable MCP implementations and adapters. The researchers traced the issue through GPT Researcher and LangChain's langchain-mcp-adapters to Anthropic's original modelcontextprotocol implementation, reporting successful command execution on six official services and more than 30 coordinated disclosures.
Unauthenticated info exposure disclosed in n8n-mcp HTTP transport
A vulnerability tracked as GHSA-75HX-XJ24-MQRW was disclosed in n8n-mcp's HTTP transport, where GET /mcp and DELETE /mcp lacked equivalent authentication controls and the /health endpoint exposed sensitive diagnostic data. The issue allowed network-adjacent unauthenticated actors to obtain internal state details, including active transport session identifiers and security configuration information.
Authenticated SSRF disclosed in n8n-mcp multi-tenant mode
A vulnerability tracked as GHSA-4GGG-H7PH-26QR was disclosed in n8n-mcp that allows an authenticated attacker to perform server-side request forgery in multi-tenant deployments. The flaw can expose internal services and cloud metadata endpoints, potentially leaking temporary cloud credentials and enabling lateral movement if the host instance has elevated permissions.
CVE-2026-35568 disclosed in MCP Java SDK server transport layer
A critical DNS rebinding vulnerability, tracked as CVE-2026-35568 and GHSA-8jxr-pr72-r468, was disclosed in the MCP Java SDK server implementation. The flaw affects io.modelcontextprotocol.sdk:mcp-core before 1.0.0 and allows cross-origin JSON-RPC requests to local MCP servers due to missing origin validation, potentially leading to unauthorized actions or remote code execution depending on exposed tools.
AgentSeal reports toxic data flows in 555 MCP servers
AgentSeal published research describing 'toxic data flows' across 555 MCP servers, indicating a broad class of insecure data-handling paths in the MCP ecosystem. The disclosure represents a separate MCP security research development from previously listed prompt hijacking, transport-layer, and authentication flaws.
Cymulate discloses EscapeRoute flaws in Anthropic MCP server
Cymulate published research on 'EscapeRoute' affecting Anthropic's MCP server, tied to CVE-2025-53109 and CVE-2025-53110. The disclosure represents a new vulnerability development in the MCP ecosystem separate from previously listed MCP implementation and architectural flaws.
File access restriction bypass disclosed in AWS API MCP
A GitHub security advisory disclosed GHSA-2cpp-j2fc-qhp7 in awslabs/mcp, describing a file access restriction bypass in the AWS API MCP project. The issue represents a separate MCP vulnerability development affecting AWS-related tooling.
CVE-2025-6515 highlighted in oatpp-mcp implementation
JFrog identified CVE-2025-6515 in oatpp-mcp, the MCP implementation for the Oat++ C++ web framework, as a concrete example of the prompt hijacking weakness. In the demonstrated attack, adversaries could pre-generate session IDs, wait for them to be reassigned to legitimate clients, and then send malicious requests that the server would treat as coming from the victim.
JFrog discloses prompt hijacking risk in MCP workflows
JFrog researchers warned that Model Context Protocol (MCP) workflows can be vulnerable to a prompt injection technique they call prompt hijacking, caused by predictable or reusable session IDs in MCP server implementations. The issue can let attackers inject malicious prompts into legitimate MCP communications without compromising the underlying model.
Unauthenticated RCE disclosed in MCP Inspector proxy server
A GitHub security advisory disclosed GHSA-7f8r-222p-6f5g in the npm package @modelcontextprotocol/inspector, affecting versions before 0.14.1. The flaw stems from missing authentication between the Inspector client and proxy, allowing unauthenticated requests to launch MCP commands over stdio and potentially achieve arbitrary code execution; users were advised to upgrade to 0.14.1 or later.
GitHub MCP exploitation reported to access private repositories
A report described exploitation involving GitHub's MCP integration that enabled access to private repositories via MCP. This appears to be a distinct MCP security development affecting GitHub-related tooling and predates the previously listed June 2025 MCP Inspector disclosure.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
28 references tracked. Mallory keeps watching after this page renders.
Hackers Can Hijack Claude Code MCP Traffic to Steal OAuth Tokens
cybersecuritynews.com
Open sourceFlowise’s MCP implementation can run ghost commands | InfoWorld
infoworld.com
Open sourceMCP Toolbox Vulnerability Allows Session Hijacking
securityonline.info
Open sourceMicrosoft Code Editor Flaw Lets Attackers Hijack Developer PCs
bankinfosecurity.com
Open source$2000 Bounty: From Browser to Burp
osintteam.blog
Open sourcePrompt hijacking puts MCP-based AI workflows at risk
csoonline.com
Open sourceInspector proxy server vulnerabilities · Advisory · modelcontextprotocol/inspector · GitHub
github.com
Open sourceGitHub MCP Exploited: Accessing private repositories via MCP
simonwillison.net
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Security Exposure and Threat Landscape for Model Context Protocol (MCP) Servers
Security researchers evaluated the risks associated with deploying Model Context Protocol (MCP) servers, which enable AI systems like ChatGPT to interact with external tools and data. One investigation used the GitHub MCP server in conjunction with OpenAI's Codex to analyze code, identify security issues, and propose fixes, highlighting how AI agents can streamline code review and vulnerability management. The study also explored whether AI-driven code analysis could be manipulated to conceal security flaws, emphasizing the importance of context and transparency in automated security workflows. Separately, honeypots simulating MCP server deployments were exposed to the internet to assess real-world attack activity. These honeypots, configured with varying authentication levels, were quickly discovered by internet scanners but did not experience targeted exploitation or MCP-specific attacks. The only notable incident was a controlled proof-of-concept prompt-hijacking flaw in a custom MCP build, which was not observed in the wild. The findings suggest that, while MCP servers are rapidly indexed by threat actors, current risks stem primarily from implementation errors rather than active targeting, underscoring the need for secure deployment practices and ongoing monitoring as MCP adoption grows.
Mar 21, 2026
Model Context Protocol (MCP) Security Risks From Untrusted Tool Servers and Verifiability Gaps
Security researchers warned that the *Model Context Protocol (MCP)*—used to let AI assistants connect to local tools and enterprise SaaS data—creates a significant attack surface when organizations install or authorize MCP “servers” and tool integrations. Praetorian highlighted that **locally hosted MCP servers run with the user’s privileges** and can therefore execute arbitrary commands, access local files, install malware, and exfiltrate data while masquerading as legitimate productivity tooling; it also described **“MCP server chaining,”** where a malicious local MCP server abuses data and actions flowing through a trusted remote integration (e.g., Slack/Google Drive) without needing to compromise the official provider. Separately, Gopher Security emphasized a **trust and auditability gap** in MCP deployments: standard logging for remote tool execution can be incomplete or tampered with, and organizations often cannot prove what code ran or what parameters were used inside a remote “black box” execution environment. The post described “puppet”/interception-style scenarios where an attacker could alter an MCP request (e.g., changing tool-call parameters to trigger data exfiltration or unauthorized actions) while returning plausible “success” responses, and proposed cryptographic approaches (e.g., **zero-knowledge proofs**) to make MCP tool execution verifiable rather than relying on mutable logs.
May 5, 2026
Security Risks and Assessment Tools for Model Context Protocol (MCP) Servers
The rapid adoption of the Model Context Protocol (MCP) is transforming how AI systems interact with external data sources, tools, and APIs, providing a standardized interface for large language models to connect with enterprise environments. While MCP offers significant convenience and interoperability, it also introduces new security challenges, including risks of prompt injection, tool poisoning, and data exfiltration, as attackers can exploit exposed tool descriptions and prompts to manipulate AI systems or compromise sensitive data. To address these emerging threats, the open-source tool Proximity has been released to scan MCP servers for exposed prompts, tools, and resources, enabling security teams to assess potential vulnerabilities before deployment. Proximity, when paired with the NOVA rule engine, allows analysts to write custom rules to detect suspicious or harmful content, such as prompt injection or jailbreak attempts, helping organizations proactively secure their AI integrations as MCP becomes increasingly prevalent in enterprise environments.
Mar 21, 2026