Reverse tunnels change the risk because they convert a private local service into an externally reachable endpoint without forcing the same deployment controls as production. The tunnel solves connectivity, but it can also bypass the normal checkpoints that define who may connect, which tools they may invoke, and how long access should exist.
Why This Matters for Security Teams
Reverse tunnels are not just a networking convenience; they reshape the trust boundary around an MCP server. A service that was intended to stay local can become reachable from outside the host, sometimes without the same ingress controls, segmentation checks, or approval workflow that would apply to a production endpoint. That matters because MCP tool access is often functionally equivalent to privileged application access, especially when secrets or administrative actions are exposed. The risk profile is visible in The State of MCP Server Security 2025, where 53% of MCP servers were found to expose credentials through hard-coded values in configuration files.
Security teams often underestimate the tunnel itself and focus only on the server behind it. The real issue is that the tunnel can bypass the normal controls that define who may connect, what they may invoke, and how long that access should exist. That makes reverse tunnels especially dangerous when MCP servers are used for sensitive development workflows, internal automation, or agent toolchains that already have broad local trust. Current guidance from the OWASP Agentic AI Top 10 and NHIMG’s Top 10 NHI Issues both point to the same pattern: when identity and exposure are treated separately, the tunnel becomes the shortcut attackers look for. In practice, many security teams encounter compromise only after a tunnel has already exposed a service to the outside world.
How It Works in Practice
Reverse tunnels change mcp security risk because they decouple reachability from governance. Instead of opening a formal inbound path, a local MCP endpoint initiates an outbound connection to a relay or tunnel broker, and remote clients connect back through that broker. The service may still “feel” local to the operator, but from a security standpoint it is now externally addressable. That can defeat assumptions built into host firewalls, perimeter allowlists, and “private by default” deployment models.
Practitioners should treat the tunnel as part of the attack surface, not a neutral transport layer. The key questions are:
- Who authenticated to the tunnel broker, and how was that identity bound to the MCP instance?
- Is tool access scoped per session or per user, or does the tunnel expose every local capability by default?
- Are credentials injected ephemerally, or are static secrets stored in config files and reachable through the exposed path?
- Can the broker log and revoke access in real time, or does it simply forward traffic without policy enforcement?
This is where alignment with NIST Cybersecurity Framework 2.0 becomes practical: treat exposure, identity, and monitoring as linked control objectives, not separate tasks. For MCP-specific risk, NHIMG’s Ultimate Guide to NHIs is useful because it reinforces the operational reality that machine identities become high-value access paths when they are easy to duplicate or bypass. Best practice is evolving toward short-lived access, explicit tool scoping, and policy checks at request time rather than relying on the tunnel’s implicit trust. These controls tend to break down when the tunnel is used for ad hoc developer access on unmanaged hosts because there is no stable enforcement point for identity, logging, or revocation.
Common Variations and Edge Cases
Tighter tunnel controls often increase setup friction, requiring organisations to balance developer convenience against the need for auditable access. That tradeoff becomes sharper in environments that use ephemeral containers, remote IDEs, or multi-agent workflows, where the tunnel may be spun up and torn down frequently. In those cases, the operational question is not whether a reverse tunnel is “allowed,” but whether the exposure is time-bound, logged, and tied to a workload identity instead of a person’s long-lived credentials.
There is no universal standard for this yet, but current guidance suggests that the safest pattern is to combine the tunnel with JIT access, per-session authentication, and policy checks enforced outside the MCP server itself. That matters because a reverse tunnel can carry any local privilege the service already has, including access to files, shell commands, or internal APIs. If the MCP server is also used by autonomous tools, the risk expands further: agentic systems may chain actions through the tunnel in ways that are difficult to predict ahead of time, which is why the OWASP Top 10 for Agentic Applications 2026 remains relevant here.
For teams already seeing broad agent adoption, SailPoint’s findings on AI agent access underscore the exposure problem: organisations often lose visibility once agent activity crosses an access boundary. Reverse tunnels make that loss of visibility more likely unless broker logs, session controls, and revocation are built in from the start.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 and OWASP Agentic AI Top 10 address the attack and risk surface, while NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Reverse tunnels often expose long-lived secrets and weak rotation paths. |
| OWASP Agentic AI Top 10 | A2 | Tunnel reachability magnifies unsafe agent tool access and unexpected action chains. |
| NIST CSF 2.0 | PR.AC-4 | Reverse tunnels alter remote access control and trust boundary enforcement. |
Use short-lived secrets and rotate exposed credentials immediately after tunnel-enabled access.
Related resources from NHI Mgmt Group
- How can organizations manage the risk of credential leaks in MCP frameworks?
- How should security teams evaluate unified identity platforms for governance risk?
- How should security teams use DSPM to reduce oversharing risk in AI-enabled environments?
- How can security teams prioritise sensitive data risk across file systems and SharePoint Online?
