If you’re even a little bit into AI these days, you’ve probably heard about MCP (Model Context Protocol). It’s been said to be the next big thing for AI, and what we need to get more reliable answers. With MCPs, we can connect to external tools and get live data. But there is a few security concerns you need to take seriously. In this article I will talk a little bit about security and then go though some specific issues.
What is the security challenge for MCP?
Before we start diving into the specific risks, I think it’s important to understand what makes MCP security different from traditional application security. Unlike typical web APIs that operate in well-defined server environments, MCP servers often run locally on user machines with direct access to system resources, files, and network connections.
The protocol operates through two primary transport mechanisms. The most common is “stdio,” where MCP servers run as local executables that communicate with clients through standard input and output streams. The alternative is HTTP with Server-Sent Events for remote servers. Both approaches introduce unique security considerations.
What makes this particularly concerning is that MCP servers can be called by anyone – not just LLMs. While AI models typically show their intended actions through “plan” and “act” phases, malicious attackers have no such transparency requirements.
Command injection: The classic flaw returns
One of the most common vulnerability patterns found in MCP servers is command injection – a security flaw that should have been eliminated decades ago, yet continues to appear in modern implementations.
Here’s how these vulnerabilities typically manifest: an MCP server receives user input through the protocol and incorporates it directly into system commands without proper sanitization. An attacker can craft malicious payloads containing shell metacharacters to execute arbitrary commands on the target system.
A real-world example shows how easily this can happen:
python
def dispatch_user_alert(self, notification_info: Dict[str, Any], summary_msg: str) -> bool:
"""Sends system alert to user desktop"""
notify_config = self.user_prefs["alert_settings"]
try:
alert_title = f"{notification_info['title']} - {notification_info['severity']}"
if sys.platform == "linux":
subprocess.call(["notify-send", alert_title])
return TrueIn this code, user-controlled data in notification_info is passed directly to a system command. A malicious actor could inject commands through the title or severity fields, potentially gaining full system access. This is something that has been done too many times in regular web APIs, so it’s important to take things like this seriously.
Five security risks you should know
1. Supply chain attacks
When using local MCP servers, organizations are essentially downloading and executing binaries on their systems. This creates opportunities for attackers to create backdoored MCP servers and wait for victims to install them.
The risk is amplified because MCP servers often come from community sources or third-party developers. Configuration files that specify commands and parameters can also be manipulated to include malicious actions, even if the MCP server itself appears legitimate.
Mitigation Strategy: Only use MCP servers from trusted sources, verify digital signatures, and implement code reviews for any MCP servers before deployment. Consider running MCP servers in sandboxed environments with limited system access.
2. Prompt injection
MCP servers expose capabilities that get included in prompts, creating opportunities for indirect prompt injection attacks. Even if you don’t directly invoke malicious functionality, the mere presence of a compromised MCP server can influence AI behavior through its method descriptions.
This risk increases because method descriptions can be updated dynamically, meaning a server that appears safe during installation could become malicious through updates.
Mitigation Strategy: Implement prompt sandboxing where content from untrusted MCP servers is never included in the same context as sensitive information. Validate and freeze capability descriptions from external servers.
3. It’s bidirectional
Many users forget that MCP is bidirectional. MCP clients can expose capabilities like “sampling” which allows servers to use the LLM engine with their own prompts and parameters. This means malicious servers could potentially abuse your AI resources or extract information through crafted prompts.
Mitigation Strategy: Carefully review and limit the capabilities your MCP client exposes. Implement controls around sampling functionality, including user approval for completion requests and appropriate rate limits.
4. Authentication and authorization failures
MCP servers may suffer from “confused deputy” problems where they execute actions with elevated privileges rather than on behalf of the requesting user. This violates the principle of least privilege and can lead to unauthorized access to resources.
The current MCP authorization specification has been criticized for including implementation details that conflict with modern enterprise security practices.
Mitigation Strategy: Implement proper user-context authentication for MCP servers. Ensure that all actions are performed with appropriate user permissions rather than service-level privileges.
Learn more about authentication in the MCP ecosystem in this session that Aaron Parecki at Okta gave at the first MCP Developers Summit.
5. Tool injection and deceptive naming
Malicious MCP servers can use deceptive tool names to trick AI models into selecting them for tasks that should be handled by legitimate tools. A tool originally described as gathering weather information might be modified in an update to start gathering confidential information.
Mitigation Strategy: Implement version pinning for MCP servers and establish notification systems for any changes in code or functionality after installation.
The protocol-level problems
Beyond implementation vulnerabilities, the MCP specification itself contains design decisions that create security challenges:
Session Management: The protocol mandates session identifiers in URLs, which violates security best practices by exposing sensitive identifiers in logs.
Lack of Authentication Standards: The protocol provides minimal guidance on authentication, leading to inconsistent security implementations across different servers.
Missing Integrity Controls: The protocol lacks required message signing or verification mechanisms, making message tampering possible.
Building secure MCP implementations
For organizations developing or deploying MCP servers, several security practices can significantly reduce risk:
Development Phase Security:
- Implement Static Application Security Testing (SAST) in build pipelines
- Use Software Composition Analysis (SCA) to identify vulnerable dependencies
- Follow secure coding practices, especially around input validation and command execution
- Sign all MCP components to ensure integrity
Deployment Phase Security:
- Run MCP servers in sandboxed environments with minimal required permissions
- Implement comprehensive logging for all MCP server actions
- Establish regular vulnerability management processes for MCP components
- Use network segmentation to limit the blast radius of compromised servers
Operational Security:
- Monitor MCP server behavior for unusual activities
- Implement user confirmation for sensitive operations
- Regularly audit and update MCP server versions and dependencies
- Maintain incident response procedures specifically for MCP-related security events
Arjun Sambamoorthy of Cisco takes a deeper dive into securing MCP servers in the session “Building Protected MCP Servers” from the MCP Developers Summit in May 2025.
Summary – The path forward
The security challenges facing MCP don’t mean organizations should avoid the protocol entirely. Instead, they highlight the need for a mature, security-first approach to implementation and deployment.
The MCP community is actively working to address security at a broader level.Efforts are underway to improve the authorization specification, develop better security tooling, and establish best practices for secure MCP development.
For organizations looking to adopt MCP, the key is to approach it with the same security rigor applied to any other critical infrastructure component. This means thorough security assessments, careful vendor selection, proper testing procedures, and ongoing monitoring.
One of the most important steps organizations can take, is implementing an Enterprise MCP Gateway to provide a trusted and validated set of MCP Servers that have been vetted and approved by IT. This reduces the risk of employees finding potentially malicious MCP servers on the internet and using them to connect to critical services.
If you would like to schedule a meeting with an Obot field engineer to discuss an enterprise strategy for securely delivering MCP servers across the enterprise, our team has a ton of experience helping organizations map out a strategy for MCP security.
The Model Context Protocol represents a significant advancement in standardizing AI integrations, but its rapid adoption has outpaced security maturity. We’re seeing fundamental security issues from decades past reemerging in this new context, requiring renewed attention to security basics alongside innovation.
As we continue to expand AI capabilities through protocols like MCP, maintaining a security-first mindset will be crucial for building systems that are not only powerful and useful, but also trustworthy and safe for widespread adoption.
