Introduction

The Model Context Protocol launched in November 2024 with zero built-in authentication, and within a year, security researchers had uncovered critical remote code execution vulnerabilities, demonstrated full data exfiltration chains, and found the first malicious MCP server in the wild.

This matters because MCP is no longer a niche developer tool. It now handles 97 million monthly SDK downloads across 10,000+ active servers, powering integrations in ChatGPT, Claude, Cursor, Gemini, and Microsoft Copilot. When MCP is vulnerable, the AI-powered workflows of millions of developers and enterprises are vulnerable too.

The good news: the protocol's security posture has improved dramatically through three major spec revisions, a fast-growing ecosystem of security tools, and formal governance under the Linux Foundation.

The bad news: authorization is still optional in the spec, most deployed servers ship without authentication, and prompt injection remains fundamentally unsolved at the protocol level. The attack surface is expanding faster than most organizations realize.

CISOs: you need to pay attention.

MCP Shipped Without Locks on the Doors

When Anthropic released MCP, the specification defined how AI models connect to external tools via JSON-RPC - but left security almost entirely to implementers. No standardized authentication. No authorization framework. No transport encryption requirement.

Three spec revisions changed that in rapid succession:

March 2025 introduced OAuth 2.1 authorization and a new Streamable HTTP transport.

June 2025 separated the MCP server from the authorization server (fixing a widely criticized coupling), mandated Resource Indicators to prevent token mis-redemption attacks, and explicitly prohibited token passthrough to upstream APIs.

November 2025 added enterprise-grade features: Client ID Metadata Documents for safer client identification, Enterprise-Managed Authorization so IT admins can pre-authorize trusted agents through centralized identity providers, and machine-to-machine authentication for autonomous agents.

Today's MCP security stack is substantial, mandatory PKCE with S256, protected resource metadata, scope-based authorization, DNS rebinding protection, and structured session management.

But here's the catch: authorization remains optional in the spec, and many servers still ship without any authentication at all.

Researchers Exposed an Alarming Attack Surface

While the spec was catching up, researchers were discovering that the damage window had already opened. Starting in April 2025, a wave of disclosures revealed that MCP's attack surface was far larger than anyone expected — and that deployed servers were already exploitable.

Tool poisoning turned out to be the signature MCP vulnerability. Invariant Labs showed that malicious instructions embedded in tool descriptions — invisible to users but visible to AI models — could silently exfiltrate SSH keys, credentials, and config files. A tool that appeared to do simple math was secretly reading your private keys and transmitting them as hidden parameters. Trail of Bits then published a rapid-fire series of disclosures that were arguably more alarming: malicious servers can attack the AI's context window at connection time before any tool is invoked (bypassing human-in-the-loop entirely); tool descriptions can inject triggers that exfiltrate conversation histories when a user says something as innocent as "thank you"; and malicious instructions can be hidden from terminal users using ANSI escape codes while remaining fully visible to the LLM.

Palo Alto Networks and CyberArk expanded the taxonomy further, documenting resource theft through hidden compute requests, conversation hijacking, covert file writes, and "Full-Schema Poisoning" where every field in a tool schema can carry malicious payloads.

These were not theoretical.

The jump from proof-of-concept to real-world impact happened fast. Invariant Labs demonstrated full WhatsApp message history exfiltration by combining a malicious MCP server with a legitimate one. A GitHub MCP exploit hijacked an AI assistant into leaking private repository contents and salary data into a public pull request. Asana's MCP server exposed data across organizational boundaries for roughly 1,000 customers. And in September 2025, the first confirmed malicious MCP server appeared in the wild — a fake email server silently BCC'ing all communications to an attacker.

The CVE list is sobering. The most critical — CVE-2025-6514 (CVSS 9.6) — allowed a malicious MCP server to achieve full remote code execution on any machine running the widely-used mcp-remote package by injecting a crafted URL that got passed directly to the system shell. Over 437,000 downloads were affected.

SAFE-MCP: A Threat Taxonomy

With attacks multiplying and no common language to describe them, the SAFE-MCP initiative (Security Analysis Framework for Evaluation of MCP) emerged as a key effort to catalog and address MCP threats.

Think of it as MITRE ATT&CK for MCP. SAFE-MCP catalogs 80+ attack techniques across 14 tactic categories, each with severity ratings, detection strategies, and — critically for enterprise teams — compliance crosswalks to NIST SP 800-53 and ISO 27001 controls. If your security team already maps to those frameworks, SAFE-MCP lets you slot MCP threats directly into your existing risk model.

It also provides a layered mitigations framework spanning architectural defenses, cryptographic controls, input validation, supply chain security, sandboxed execution, and runtime monitoring. Now governed jointly by the OpenSSF and the OpenID Foundation, SAFE-MCP has given the ecosystem what it badly needed in early 2025: a shared vocabulary for describing and prioritizing MCP threats.

SAFE-MCP is a threat knowledge framework, not a runtime security tool. It tells you what can go wrong and how to defend against it, and it's given the ecosystem a shared vocabulary for discussing MCP threats — something that was notably absent when researchers were independently discovering overlapping vulnerabilities earlier.

Why Enterprises Can’t Afford to Wait

MCP is quietly becoming the backbone of enterprise AI operations. Major deployments at Block, Bloomberg, and Amazon, combined with integrations across Microsoft Copilot, Google Gemini, and Azure AI Foundry, mean MCP connections now touch CRMs, code repositories, internal databases, email, and financial platforms.

The "shadow MCP" problem is real. Just as shadow IT emerged when employees adopted unsanctioned cloud services, developers are now spinning up MCP servers on local machines without security team visibility. Researchers have discovered roughly 1,800 publicly exposed MCP instances, many running without authentication. By the time security teams learn about these deployments, an AI agent may already have the same privileges as the developer who deployed it: full repository access, database connections, and API permissions included.

The competitive dimension cuts both ways. Organizations that build mature MCP security practices will move faster on AI adoption while competitors stall. But those that rush in without controls risk the kind of breach; data exfiltration via a poisoned tool, credential theft from a shadow deployment, lateral movement through a compromised package, that carries regulatory scrutiny and lasting reputational damage.

Conclusion

MCP's security story is one of rapid maturation under pressure. A protocol that launched with no authentication now has OAuth 2.1, enterprise-managed authorization, and mandatory cryptographic protections. SAFE-MCP provides the threat taxonomy the ecosystem needed, backed by foundation governance.

But the critical insight is this: MCP security is not primarily a protocol problem — it's an ecosystem problem. The spec can mandate OAuth and PKCE, but it can't force server developers to implement authentication, enterprises to audit their deployments, or AI models to resist prompt injection. The tools, frameworks, and standards emerging around MCP are filling these gaps faster than most open-source security ecosystems mature, driven by the recognition that securing AI-tool integration is now a front-line cybersecurity concern.

For enterprises, the message is straightforward: the time to build MCP security practices is before your AI agents are connected to production systems, not after the first incident.

Securing your MCP deployments? Vectara helps enterprises deploy AI agents that communicate with MCP servers through authenticated, governed connections. Contact us to learn more.