Model Context Protocol (MCP) is quickly becoming the backbone of how AI agents interact with the outside world. It gives agents a standardized way to discover tools, trigger actions, and pull data. MCP dramatically simplifies integration work. In short, MCP servers act as the adapter that grants access to services, manages credentials and permissions, and enforces boundaries. And because MCP acts as a single point where permissions, credentials, and sensitive workflows converge, it needs to be treated as critical infrastructure.

Security Risks You Can’t Ignore

Like any system that bridges AI with external actions, MCP introduces serious security concerns. These include:

Credential Theft & Account Takeover: MCP servers store OAuth tokens for connected services. If stolen, attackers can impersonate users, accessing or sending data as those users. These token-based attacks often bypass login alerts, making detection difficult.

MCP Server Compromise: A compromised server provides attackers all stored tokens and permissions. This enables actions across multiple services such as emails and calendars, databases, and CRM systems without further breaches. Cached tokens may remain valid even after password resets, extending the threat.

Prompt Injection (Tool Misuse): Malicious instructions hidden in input data or tool metadata can drive agents to misuse MCP tools. For example, a crafted document could trigger unauthorized email forwarding or data exfiltration without visible malicious code.

Overly-Broad Permissions: MCP servers often request expansive scopes (“all emails,” “all files”) when fine-grained access is needed. This violates the principle of least privilege. The result is an aggregate data silo enabling a server to pull together information from many sources. An attacker who hijacks an overly-permissioned MCP server could exfiltrate sensitive PII from HR systems, or leak confidential IP from engineering repositories, exposing the business to regulatory penalties, lawsuits, and competitive loss. Even legitimate use could raise privacy concerns if the MCP server operator itself isn’t carefully segregating or limiting what the AI can access. Fine-grained permissions are critical; otherwise, MCP can inadvertently concentrate sensitive data in one place, ripe for exfiltration or abuse.

These risks highlight MCP’s double edge: by centralizing access it empowers agents, but also increases attack surface. Without strict controls, an MCP server can become an attacker’s most efficient entry point.

Real-World Exploits Involving MCP Servers

Earlier this year, researchers showed that a malicious PDF uploaded into a Notion workspace could silently trigger an MCP-style workflow, prompting the Notion agent to exfiltrate internal client data. The issue wasn’t code execution—it was overly trusting tool schemas combined with an agent that followed instructions too literally.

Another incident involved Anthropic’s MCP Inspector, a developer tool for debugging integrations. A critical vulnerability (CVE-2025-49596) lets a malicious webpage call Inspector endpoints and run arbitrary commands on the host. Because Inspector had broad local privileges, attackers could steal credentials, access source code, and plant backdoors. The flaw was patched, but it demonstrated how a single permissive component can put an entire organization at risk.

Researchers also uncovered a prompt-injection flaw in GitHub’s MCP integration that lets attackers trick agents into reading private repositories and leaking them in public pull requests. No server breach was needed—just coarse OAuth scopes and untrusted issue text.

Clearly, when agents act autonomously and MCP servers centralize sensitive access, even small oversights can create cascading failures.

5 Key Security Best Practices for Running MCP In The Wild

To safely deploy an MCP server for your product, it’s critical to implement multiple layers of security controls. Below are essential protections that software engineering and security teams should put in place:

1. Strong Authentication for Clients and Users: Require cryptographic identity for every connection. Use mTLS for service-to-service, short-lived OAuth tokens for agents, and SSO + MFA for humans. Treat developer tools like production: no run-by-default. Enforce token revocation and automated rotation on suspected compromise. This blocks unauthorized connectors, makes misuse traceable, and prevents silent impersonation.

2. Fine-Grained Authorization & Least Privilege: Some teams assume they can “stuff” permissions into authentication (e.g., OAuth tokens). Don’t do this. OAuth-style tokens are insufficient: they’re not granular enough (route-level scopes vs. resource- or record-level rules) and don’t model complex policies like hierarchies or contextual attributes.

3. Tool Registry & Manifest Integrity: Operate a default-deny registry. Require signed manifests, version pinning, provenance checks, and mandatory change approvals for metadata updates. Block silent post-install edits and require staged rollouts with reconsent for risky changes. Add automated supply-chain scanning for known-vulnerable dependencies. This prevents rogue or poisoned tools and reduces attack surface from third-party providers.

4. Implement Operational Guardrails & Runtime Isolation: Treat high-risk actions as exceptions: require human approval, policy gates, rate/amount caps, and contextual checks (time, recipient, amount). Execute untrusted tasks in sandboxes/containers with syscall filtering, strict mounts, and egress controls. Monitor for anomalous patterns and automatically isolate suspicious sessions. This prevents zero-click exfiltration and contains active abuse before lateral movement.

5. Observability, Auditing & Governance: Log every tool listing, invocation, and payload to immutable storage; feed logs to SIEM with tuned alerts. Monitor model outputs for risky disclosures and keep tamper-evident forensic trails. Couple technical telemetry with governance: pre-approval for integrations, threat models, scheduled red teams, and documented escalation/playbooks. Implementing these controls enable faster detection, cleaner investigations, and accountable risk decisions.

Next Steps for MCP Security

MCP promises enormous leverage. It lets companies pair powerful agents with equally powerful systems of record, enabling workflows that were unimaginable even a year ago. But the same centralization that enables these capabilities also expands the attack surface. A single permissive component, an over-broad permission, or an overlooked developer tool can create a breach that impacts every connected system.

The path forward is to match MCP’s power with controls built for the age of autonomous agents. With the appropriate security controls, organizations can deploy MCP servers with confidence.