Close Menu
  • Home
  • News
  • Security
  • Privacy
  • Cybercrime
    • Threat Groups
    • Ransomware
    • Explainers
    • Stealer Logs
  • AI
  • OSINT
  • Tools
    • Ransomtracker
    • Stealercheck
    • FortiBleed Checker
  • Reviews
    • Best antivirus software for 2026: independent picks from Ransomnews
    • Best ransomware-resistant backup for 2026: cloud, hybrid, and immutable picks reviewed
    • Best ransomware protection for business 2026: Alerts.bar, ESET PROTECT and 6 alternatives reviewed
  • About Us
Facebook X (Twitter) Instagram Threads
Ransomnews
  • Home
  • News
  • Security
  • Privacy
  • Cybercrime
    • Threat Groups
    • Ransomware
    • Explainers
    • Stealer Logs
  • AI
  • OSINT
  • Tools
    • Ransomtracker
    • Stealercheck
    • FortiBleed Checker
  • Reviews
    • Best antivirus software for 2026: independent picks from Ransomnews
    • Best ransomware-resistant backup for 2026: cloud, hybrid, and immutable picks reviewed
    • Best ransomware protection for business 2026: Alerts.bar, ESET PROTECT and 6 alternatives reviewed
  • About Us
Facebook X (Twitter) LinkedIn
Ransomnews
AI

MCP security in 2026: the attack surface mapped

Martynas VareikisBy Martynas VareikisJune 28, 2026Updated:June 29, 2026No Comments11 Mins Read52 Views
Share Facebook Twitter Pinterest LinkedIn Tumblr Email Copy Link
MCP security in 2026: the attack surface mapped, ransomnews.com
Share
Facebook Twitter LinkedIn Pinterest Email Copy Link

The Model Context Protocol attack surface in 2026 has six recurring shapes: tool poisoning, line jumping, rug pulls, tool-chaining exfiltration, token sprawl, and plain remote code execution in the server itself. Each has a named, documented incident behind it, from the GitHub MCP data heist to the Supabase exfiltration chain to Asana’s cross-tenant leak. This is the field map: what each attack is, the incident that proves it real, and where the trust boundary actually broke.

If you have not read it yet, the what-is-MCP guide covers the protocol mechanics this piece assumes. The defensive counterpart, the controls that close each of these holes, lives in the secure MCP server hardening guide. Here we stay on offence and describe the surface as it actually looks after eighteen months of public exploitation.

// MCP ATTACK SURFACE
MCP host — model + N connected servers
tool poisoning
malicious text in tool metadata
tool-chaining exfil
read privileged, write to a sink
line jumping
inject before any call, via tools/list
token sprawl
one host, the union of all scopes
rug pull
definition changes after approval
cross-tenant
broken isolation, other orgs data
RCE in the server
command + deserialization flaws
confused deputy
agent acts with its own authority
Figure 1. The eight recurring MCP attack patterns. Four arrive through tool metadata and the server itself, four through composition, credentials, and identity.

Tool poisoning: the instruction hidden in the description

Tool poisoning is indirect prompt injection delivered through a tool’s own metadata. The malicious instruction sits in the tool’s description or parameter schema, text the model reads to decide whether and how to call the tool, but which a human approving the server usually never sees. Invariant Labs named the technique in early 2025, and Simon Willison documented the mechanics the same April: a tool described as a harmless calculator can carry a hidden line telling the model to read a config file and pass its contents as an “optional” argument.

The reason this works is that current safety alignment is content-based, and the content looks like a legitimate tool. A November 2025 benchmark of seven major MCP clients, published as MCPTox, measured tool-poisoning success rates above seventy percent, with the clients’ own refusal behaviour firing on under three percent of attempts. Read that pairing carefully: the model almost never recognises the poisoned tool as hostile. The defence is not better refusal, it is not trusting tool metadata in the first place.

Line jumping and tool shadowing

Line jumping is tool poisoning that fires before any tool is called. Trail of Bits coined the term for injections planted in the tools/list response during the initial MCP handshake, so the poisoned text reaches the model the moment a server connects, ahead of any user action. The related move is tool shadowing: a malicious server registers a tool whose name or description overlaps a trusted server’s tool, so the model routes a sensitive call to the attacker’s handler instead. Any credential reachable by any connected server is reachable through the shadowed tool, which is why connecting “just one more” community server is rarely free.

The structural point, and the one the NSA’s May 2026 guidance keeps returning to, is that MCP gives servers influence over client behaviour before the user has agreed to anything. The handshake is part of the attack surface, not a neutral setup step.

Rug pulls: trust that changes after approval

A rug pull exploits the gap between approval and use. An agent connects, calls tools/list, gets a clean set of definitions, and the user approves them. Later, the same server returns a modified list: altered descriptions, widened parameter schemas, renamed tools that now shadow a trusted server. Because most clients re-fetch tool definitions without re-prompting, the swap is silent. The technique is sometimes called silent redefinition, and the ETDI research proposes signed, OAuth-backed definitions precisely so that a changed tool fails verification instead of executing. Until signing is universal, the practical defence is pinning servers to a known commit and alerting on any definition that changes underneath you.

Tool-chaining exfiltration: the GitHub and Supabase pattern

The most damaging real MCP incidents of 2025 were not single-tool exploits. They were compositions. An attacker plants instructions in a place a privileged tool will read, then relies on a second tool to write the stolen data somewhere the attacker can reach. Each individual call is authorised. The breach lives in the chain.

In May 2025, Invariant Labs showed this against the official GitHub MCP server. A developer active in both public and private repositories had given their agent a broad Personal Access Token. An attacker filed a malicious GitHub issue in a public repo; when the developer asked their agent to triage open issues, the embedded instruction steered it into reading private repositories and leaking their contents, including private project details and salary information, back into a public pull request. There was no software bug in the classic sense. The token was too broad and the composition did the rest.

The Supabase case, demonstrated by General Analysis against Supabase MCP used from Cursor, is the same shape with a database on the end. An attacker opened a support ticket whose body contained instructions for the agent. The agent called execute_sql to read the ticket, treated the embedded text as user intent, issued a second execute_sql against the integration_tokens table, and wrote the stolen API keys and OAuth tokens back as a new message on the public-facing ticket. Read from a privileged source, write to an attacker-visible sink, two authorised calls, one exfiltration.

// TOOL-CHAINING EXFILTRATION  (Supabase pattern)
1 . attacker files a support ticket — with a hidden payload
↓
2 . agent reads the ticket — execute_sql (authorised)
↓
3 . payload becomes intent — no instruction / data split
↓
4 . read secrets — integration_tokens table
↓
5 . write to a sink — a new public ticket message
↓
6 . attacker reads — API keys + OAuth tokens
Steps 1 to 4 are each individually authorised. The exfiltration is the composition: a privileged read followed by a write to an attacker-visible sink (red).
Figure 2. Each call is individually authorised. The exfiltration is the composition: privileged read, then write to an attacker-visible sink.

Token sprawl and cross-tenant failure: the Asana leak

MCP servers hoard credentials. A single host running Notion, Linear, GitHub, and a database server holds the union of all those scopes, so one compromised machine hands an attacker every system at once. This is the token-sprawl problem, and it turns a modest foothold into a wide blast radius. Treat MCP server credentials like CI/CD secrets, because functionally that is what they are.

The hosted-MCP version of the problem is broken tenant isolation. On 4 June 2025, Asana disclosed a flaw in its MCP server where a faulty isolation check could let one organisation’s users see another organisation’s project data, tasks, comments, and files. Asana estimated roughly a thousand customers were exposed. No prompt injection, no clever chain, just a multi-tenant authorization bug in an AI connector that shipped before its access model was watertight. As more vendors rush MCP servers to market, this category, the boring server-side authz bug, will keep producing the largest single-incident exposures.

The RCE class: when the server itself is the vulnerability

Underneath the AI-specific attacks sits a thoroughly conventional problem: MCP servers are software, and a lot of it shipped with classic remote-code-execution bugs. The pattern is almost always a tool passing model-supplied strings into a shell or an unsafe deserializer. The notable 2025 entries:

  • CVE-2025-6514 (CVSS 9.6) in mcp-remote, arbitrary OS command execution on the client host when it connects to a malicious server. Patched in 0.1.16.
  • CVE-2025-49596 (CVSS 9.4) in Anthropic’s MCP Inspector, browser-driven RCE against the local debugging tool. Fixed in 0.14.1.
  • CVE-2025-53967 in the Figma (Framelink) MCP server, unauthenticated command injection.
  • CVE-2025-53107 in a Git MCP server and CVE-2025-65719 in a kubectl MCP server, both command injection through tool arguments.

None of these required AI to exploit. They are the reminder that an MCP server is an internet-facing service first and an AI component second, and that the application-security fundamentals, parameterised execution, input validation, no shell concatenation, still decide whether the server is safe.

What the standards bodies are now saying

The official response arrived in 2025 and 2026. CISA issued joint guidance in May 2025 placing AI-agent infrastructure squarely inside the attack surface SOC teams must monitor. The NSA’s Artificial Intelligence Security Center published its MCP Security Design Considerations on 20 May 2026, warning that the protocol’s proliferation outpaced its security model and pressing for clear trust zones, least privilege, and rigorous review of any MCP tool before deployment. And OWASP folded the agent-and-tool layer into its Top 10 for Agentic Applications 2026, where tool misuse, identity abuse, and unsafe tool chaining all appear as first-class risks. The through-line of all three: MCP is no longer a research curiosity, it is enterprise attack surface, and it should be governed like one.

Where defence actually starts

Every attack on this map breaks one of four boundaries: identity, scope, composition, or the instruction-versus-data line. Defending it is not a single product. It is least-privilege credentials so token sprawl and the GitHub pattern lose their reach, scoped and human-gated tool calls so chaining cannot quietly read-then-write, pinned and signed definitions so rug pulls fail closed, and ordinary application-security hygiene so the server is not an RCE waiting to happen. The build-side version of all of this is in the secure MCP server guide, and the agent-layer view, where these risks compound once the model can act on its own, is in our agentic AI threats analysis.

FAQ

What is the difference between tool poisoning and a rug pull?

Tool poisoning hides a malicious instruction in a tool’s metadata that is present from the start. A rug pull starts clean and swaps in the malicious definition after the user has approved the server. Poisoning is a bad tool you accepted; a rug pull is a good tool that turned bad behind your back.

Was the GitHub MCP incident a vulnerability in GitHub’s code?

Not in the traditional sense. The server behaved as designed. The exposure came from an over-broad Personal Access Token combined with an injected instruction in a public issue, so the agent used its legitimate access to read private repos. The fix is least-privilege tokens and one-repository-per-session limits, not a code patch.

How did the Supabase attack exfiltrate data if every call was authorised?

Through composition. The agent read a support ticket containing hidden instructions, treated them as intent, queried a secrets table, and wrote the results back to a public ticket message. No single call was unauthorised; the exfiltration was the sequence of a privileged read followed by a write to an attacker-visible sink.

Are remote MCP servers more dangerous than local ones?

They carry more surface. A local stdio server has no network listener, while a remote server inherits the full web-service threat model plus tenant isolation, as Asana’s June 2025 cross-tenant leak showed. Local servers are not risk-free, but most of the largest single-incident exposures have been on hosted servers.

Does the MCP authorization spec fix these problems?

It fixes the authentication layer, not the behavioural ones. OAuth 2.1 with PKCE, RFC 9728, and RFC 8707 stop token replay and weak auth, but they do nothing about a poisoned tool description or a chained exfiltration. Auth is necessary and not sufficient.

What single change reduces the most risk?

Cut token scope. Token sprawl and over-broad access turn small footholds into wide breaches, and most of the named 2025 incidents trace back to a credential that was broader than the task. Least-privilege, per-tool, user-scoped credentials shrink the blast radius of nearly every attack on this map.

Sources and further reading

  • Invariant Labs, GitHub MCP exploited.
  • Simon Willison, MCP has prompt injection problems.
  • Pomerium, lessons from the Supabase MCP data leak.
  • Nudge Security, the Asana MCP data-exposure incident.
  • MCPTox, a benchmark for tool-poisoning attacks.
  • ETDI, signed tool definitions against rug pulls and squatting.
  • NSA, MCP Security Design Considerations.
  • OWASP Top 10 for Agentic Applications 2026.
  • Ransomnews: secure MCP server guide, what is MCP, prompt-injection field manual, shadow AI in the enterprise.

Keywords: MCP security 2026, MCP attack surface, tool poisoning, line jumping, MCP rug pull, tool-chaining exfiltration, GitHub MCP vulnerability, Supabase MCP data leak, Asana MCP cross-tenant, MCP RCE CVE, token sprawl, Model Context Protocol threats.

Share. Facebook Twitter Pinterest LinkedIn Tumblr Telegram Email Copy Link
Previous ArticleBuild a secure MCP server in 2026: a hardening guide
Next Article Agentic AI threats: how MCP becomes an attack chain
Martynas Vareikis

Martynas Vareikis is the AI Editor at Ransomnews. He covers the intersection of artificial intelligence and information security — from machine-learning models in defensive tooling to the adversarial use of LLMs by ransomware operators, deepfake-driven social engineering, and the rise of agentic threats. His reporting focuses on translating fast-moving AI research into practical guidance for defenders, journalists, and the broader security community. Reach Martynas via [email protected].

Related Posts

Agentic AI threats: how MCP becomes an attack chain

June 29, 2026

Build a secure MCP server in 2026: a hardening guide

June 27, 2026

Deepfake vishing 2026: voice-clone fraud explained

June 24, 2026

Comments are closed.

Facebook X (Twitter) LinkedIn
© 2026 Ransomnews.com

Type above and press Enter to search. Press Esc to cancel.

Cookies on Ransomnews

We use strictly-necessary cookies to run the site and may use first-party analytics to understand which articles are read. Some pages contain affiliate links — when you click one, the affiliate network sets cookies on the merchant's domain to attribute the referral. See the Cookie Policy and Affiliate Disclosure for detail.

RANSOMNEWS.COM

Tracking the criminal infrastructure of the internet.

Independent coverage of ransomware, breach economics, threat actors, privacy, AI security, and the open-source investigation toolkit.

// Topics

  • News
  • Security
  • Privacy
  • Cybercrime
  • AI
  • OSINT
  • Reviews
  • Threat Groups
  • Stealer Logs
  • Ransomtracker
  • Stealercheck
  • FortiBleed Checker

// Site

  • About Us
  • Editorial Team
  • Contact
  • Tip Line
  • Editorial

// Legal

  • Privacy Policy
  • Terms of Service
  • Cookie Policy
  • Affiliate Disclosure
  • RSS Feed
© 2026 Ransomnews.com · Tracking the criminal infrastructure of the internet.