How to Fix the Top 6 Security Flaws in the Model Context Protocol (MCP)

Read full article from Descope here:  https://www.descope.com/blog/post/mcp-vulnerabilities/?utm_source=nhimg

The Model Context Protocol (MCP) is rapidly becoming the backbone of AI system connectivity, enabling large language models (LLMs) to interact with external tools, APIs, and services. However, as enterprises rush to deploy MCP in production—especially across sensitive sectors like fintech, healthcare, and critical infrastructure—security gaps have emerged that could expose AI environments to serious exploitation.

Recent findings from Knostic and Backslash Security uncovered thousands of internet-exposed MCP servers with no authentication and full remote command execution capabilities. Combined with tool poisoning and cross-server manipulation, these weaknesses form a new class of AI-specific threats that demand immediate attention from security teams, developers, and enterprises embracing agentic architectures.

This detailed guide explores the top six MCP vulnerabilities, their real-world implications, and the mitigations required to prevent catastrophic breaches.

1. Tool Poisoning — When Metadata Becomes Malware

Tool poisoning is the MCP-specific version of prompt injection, where attackers embed malicious instructions inside tool descriptions. Because LLMs automatically read these descriptions to understand server capabilities, poisoned metadata can silently instruct an agent to exfiltrate data, overwrite files, or execute rogue commands—even without being invoked.
Fix: Use fine-grained OAuth scopes, short-lived tokens, and sender-constrained credentials (e.g., mTLS or DPoP). These controls don’t prevent the injection but limit damage from unauthorized tool calls.

2. “NeighborJack”ing — Exposed Servers with No Authentication

Backslash Security discovered hundreds of MCP servers bound to 0.0.0.0, exposing them to anyone on the network. In some cases, anyone could run arbitrary commands like deleting system files or installing malware.
Fix: Never bind production MCP servers to public interfaces. Instead, use Unix domain sockets or loopback interfaces with strict firewall rules. Enforce OAuth 2.1 authorization for all remote servers and validate tokens for every request.

3. Cross-Server Shadowing — Confused Deputy Attacks Across Agents

In multi-server environments, malicious MCP servers can manipulate how LLMs use tools from trusted servers by merging all tool descriptions into a shared context. The result is a confused deputy scenario, where a malicious server secretly issues additional actions (e.g., BCCing sensitive emails).
Fix: Implement scoped namespaces, tool whitelisting, and automatic quarantine for servers that reference others in their metadata. Use scope-based access controls (like Descope’s Agentic Identity Control Plane) to confine agent behavior.

4. Server Spoofing & Token Theft — Imitation Servers and Stolen Sessions

Attackers can mimic legitimate MCP servers to intercept OAuth tokens and exfiltrate data. Once stolen, tokens grant near-invisible access since they appear as legitimate API activity.
Fix: Use short-lived tokens, JIT access policies, and token rotation. Always validate server identity and certificates before exchanging data. Descope’s Dynamic Client Registration (DCR) and token management simplify OAuth 2.1 compliance while reducing developer overhead.

5. The “Lethal Trifecta” — Autonomous Agents with Production Access

Coined by General Analysis, the Lethal Trifecta combines:

1. LLMs interpreting natural language
2. Autonomous tool calling
3. Access to sensitive data sources
   This combination can lead agents to execute injected commands directly on production databases, as shown in the Cursor + Supabase test where an agent leaked integration tokens.
   Fix: Never connect AI agents to production systems. Use staging environments, manual approval for tool calls, and read-only permissions. Descope enables granular OAuth scope control and real-time audit logging for all MCP events.

6. Rug-Pull Updates — When Trusted Tools Turn Malicious

A trusted MCP tool can later be compromised, silently pushing updates that inject harmful metadata. The lack of version pinning or change alerts means compromised updates often go unnoticed, creating long-term backdoors.
Fix: Require cryptographic signing (Sigstore attestations), store hashes of tool metadata, and quarantine changed definitions pending re-approval. Disable auto-updates in production and maintain rollback functionality for previous trusted versions.

MCP Hardening: Best Practices

• Enforce OAuth 2.1 authentication and token lifecycle management.
• Adopt Zero Trust principles with scope-limited access and continuous monitoring.
• Use MCP gateways to isolate servers and track metadata changes.
• Implement audit logging, namespace isolation, and version pinning.
• Prevent friction: build secure-by-default experiences that minimize user fatigue and risky workarounds.

Descope: Securing the Agentic Future

Descope offers purpose-built security solutions for MCP and agentic AI environments, addressing vulnerabilities outlined above with:

• Agentic Identity Control Plane – Centralized governance, auditing, and lifecycle management for all MCP clients, servers, and AI agents.
• MCP Auth SDKs and APIs – Simplified OAuth 2.1 flows with PKCE, consent management, and secure token storage.
• Inbound/Outbound Apps – Enterprise-grade hosted authorization and secure third-party API calls with dynamic token handling.

By adopting Descope’s MCP-native security stack, organizations can confidently deploy agentic systems that are resilient, compliant, and ready for the next generation of AI connectivity.