model context problems

a running record of publicly disclosed security incidents in the Model Context Protocol ecosystem. because what could possibly go wrong when you let language models autonomously talk to everything?

17
incidents tracked
8
critical severity
7
high severity
12
CVEs assigned
numbers update as new incidents are disclosed.

2026 · june · 02

[high] no CVE assigned

Claude Code GitHub Action Prompt Injection Hijacks Any Downstream Repo

GMO Flatt Security's RyotaK and Microsoft Threat Intelligence published parallel research disclosing prompt-injection bypasses in Anthropic's official claude-code-action GitHub Action. Flatt's writeup, posted June 2, traced the checkWritePermissions function unconditionally trusting any actor whose login ended in [bot], which let any GitHub App author crafted issues whose contents Claude then treated as authorized instructions. Microsoft's June 5 post documented a second path: the agent's Read tool sat outside the Bubblewrap sandbox that wrapped Bash, so /proc/self/environ was reachable from inside any triage run. Both chains exfiltrated the workflow's ANTHROPIC_API_KEY, OIDC token, and any other CI secrets via the GitHub MCP server's update_issue tool, WebFetch, or echoed log output. Anthropic rated the issues 7.8 under CVSS v4.0, shipped fixes across claude-code-action v1.0.94 and Claude Code 2.1.128, and paid a bounty. A variant of the same misconfiguration class was already exploited in February against Cline's triage workflow to steal an npm publish token and push an unauthorized [email protected].

checkWritePermissions · Read tool sandbox · GitHub MCP update_issue, lined up at exfil
EX.AcheckWritePermissions · Read tool sandbox · GitHub MCP update_issue, lined up at exfil
commentary
An auth check that boils down to actor.endsWith('[bot]') is roughly the part of an auth system you'd hope --insecure-skip-tls-verify=true was, only less polite. The Bash tool got a Bubblewrap sandbox. The Read tool got a permission check. Whoever signed off on that delta hadn't yet met an LLM willing to ask Read for /proc/self/environ.
impact

Any repository running the action with a `[bot]`-authored triage workflow could be coaxed into leaking its `ANTHROPIC_API_KEY`, OIDC token, and other workflow secrets, then accepting attacker-authored commits. Because `anthropics/claude-code-action` itself ran the vulnerable workflow, a successful compromise of the action's own repo would have flowed to every downstream consumer.

sources
GMO Flatt Security: Poisoning Claude Code, One GitHub Issue to Break the Supply ChainMicrosoft Security Blog: Securing CI/CD in an Agentic World, Claude Code GitHub Action CaseThe Hacker News: Claude Code GitHub Action Flaw Let One Malicious Issue Hijack Repositories
tags

2026 · may · 21

[high] CVE-2026-46519, CVE-2026-47250

mcp-server-kubernetes Ships Two Access Control Bypasses in Two Weeks

Flux159's mcp-server-kubernetes shipped two access-control failures disclosed two weeks apart in late May and early June 2026. CVE-2026-46519 (CVSS 8.8), published May 21, found that the ALLOWED_TOOLS, ALLOW_ONLY_READONLY_TOOLS, and ALLOW_ONLY_NON_DESTRUCTIVE_TOOLS environment variables were enforced only inside the tools/list handler. The tools/call handler had none of those checks, so any client that already knew a tool name could invoke kubectl_delete, exec_in_pod, or kubectl_generic regardless of the configured restriction mode. v3.6.0 added matching enforcement at the execution layer. CVE-2026-47250 (CVSS 3.1), published June 5, showed that kubectl_generic still passed user-supplied flags straight to kubectl with no allowlist. A prompt injection planted in pod logs could nudge the agent to call kubectl_generic with --server=https://attacker.example/ and --insecure-skip-tls-verify=true, sending the operator's bearer token to the attacker. v3.7.0 added flag filtering. The researcher confirmed the full prompt-injection-to-token-exfiltration chain end to end against a live kind cluster with Claude Haiku as the agent.

commentary
Both bugs assume the same thing: the restrictions defined in config are the restrictions the code is checking. They aren't, and they weren't. Putting an AI agent between the operator and kubectl doesn't change the lesson, except that the agent will type --insecure-skip-tls-verify=true for you, on request, from a pod log.
impact

Pre-v3.6.0 deployments let any reachable client invoke arbitrary `kubectl` tools regardless of the configured restriction policy. Pre-v3.7.0 deployments let prompt-injected pod logs harvest the operator's kubeconfig bearer token, which then replays directly against the real cluster's API server.

sources
GitLab Advisory: CVE-2026-46519, MCP Server Kubernetes Tool Access Control BypassGitLab Advisory: CVE-2026-47250, MCP Server Kubernetes kubectl-generic Flag InjectionNeuralTrust: Why Your Kubernetes MCP Server May Be Open to Attack (CVE-2026-46519)
tags

2026 · may · 20

[high] no CVE assigned

Claude Code SOCKS5 Sandbox Bypass Exfiltrates Credentials and MCP Configs

Aonan Guan, who leads cloud and AI security at Wyze Labs, publicly disclosed his second Claude Code network sandbox bypass in five months. The latest issue is a SOCKS5 hostname null-byte injection. Claude Code's proxy enforces its egress allowlist by passing the raw DOMAINNAME bytes from a CONNECT request through a JavaScript endsWith() check against the user's wildcard policy. JavaScript treats \x00 as an ordinary UTF-16 code unit, so a crafted host like attacker-host.com\x00.google.com matches an allowlist entry for .google.com and is approved. When libc later resolves the hostname via getaddrinfo(), the C runtime truncates at the null byte and dials attacker-host.com instead. Every release from v2.0.24 (sandbox GA on Oct 20, 2025) through v2.1.89 was vulnerable. Anthropic shipped a fix in v2.1.90 on April 1, 2026, with no security note in the changelog, no advisory on the Claude Code page, and no CVE assigned. Exfiltration paths reachable from inside the sandbox include MCP server configs, ~/.claude.json, project source, and anything else the agent could read.

commentary
The sandbox failed open because endsWith and getaddrinfo disagree about whether \x00 is a character. That isn't an exotic bug. The Apache HTTP server fixed the SSL-certificate-null-byte version of it in 2009. Shipping a network policy that's robust against motivated attackers takes engineering. Shipping one quietly takes considerably less.
impact

Arbitrary data exfiltration past the network allowlist for roughly 5.5 months across about 130 published versions. Users who relied on a wildcard allowlist during that window received no advisory telling them to rotate credentials.

sources
Aonan Guan: Second Time, Same Sandbox, Another Anthropic Claude Code Network Sandbox Bypass Enables Data ExfiltrationThe Register: Even Claude agrees: hole in its sandbox was real and dangerousSecurityWeek: Anthropic Silently Patches Claude Code Sandbox Bypass
tags

2026 · may · 20

[informational] no CVE assigned

NSA Publishes MCP Security Design Considerations

The NSA's Artificial Intelligence Security Center released a Cybersecurity Information Sheet titled "Model Context Protocol (MCP): Security Design Considerations for AI-Driven Automation." The document flags MCP's "rapid proliferation [that] has outpaced the development of its security model." It calls out the protocol's inversion of the typical client-server pattern (the server can prompt the client to take actions) and enumerates systemic concerns: trust boundary ambiguity, unverified task propagation, session-replay risk, and serialization issues. It urges "heightened scrutiny" for production deployments, especially in national-security and high-assurance environments.

commentary
When the NSA publishes a Cybersecurity Information Sheet saying your protocol "outpaced the development of its security model," "expected behavior" is probably not the response the rest of the industry wants on file.
impact

Formal government-level acknowledgment that MCP's security model is underdeveloped, naming concrete protocol-design gaps that operators are expected to compensate for.

sources
NSA: Security Design Considerations for AI-Driven Automation Leveraging MCPNSA Urges Stronger Security Measures for MCP Deployments (ExecutiveGov)
tags

2026 · may · 19

[critical] CVE-2026-45321

Mini Shai-Hulud Worm Weaponizes Claude Code and MCP Configs for Persistence

TeamPCP's Mini Shai-Hulud worm campaign ran through April and May 2026, hijacking npm maintainer accounts and publishing self-propagating malware across more than 600 packages on npm and PyPI. The May 19 wave compromised the atool and prop accounts and pushed 639 malicious versions across 323 packages in Alibaba's @antv data visualization ecosystem in a 22-minute automated burst. Earlier waves hit SAP CAP / mbt (April 29), TanStack (May 11), Mistral AI, Guardrails AI, UiPath, and OpenSearch. Each compromised release ships a preinstall hook that downloads the Bun JavaScript runtime as a living-off-the-land binary, then executes a credential harvester that sweeps cloud tokens, CI secrets, and password-manager vaults. The novel part: the payload reads ~/.claude.json and the host's MCP server configurations, then appends SessionStart hooks to .claude/settings.json so the next time Claude Code opens any project on the machine, the malware re-executes with full agent privileges. Researchers at Akamai, Snyk, Wiz, StepSecurity, and Phoenix Security all confirmed the AI-coding-agent persistence behavior independently.

first supply chain worm to use SessionStart hooks for persistence
EX.Afirst supply chain worm to use SessionStart hooks for persistence
commentary
The threat model that produced .claude/settings.json as a hook execution surface assumed nobody would write to it. The threat model that left MCP server config readable assumed nobody would read it. Both held up fine until somebody did both at once with a worm named after a Frank Herbert monster.
impact

Credential theft at scale across GitHub, npm, AWS, GCP, Azure, Vault, 1Password, and Bitwarden, plus self-propagation via stolen npm tokens and live AI-agent re-execution on every Claude Code session. Over 1,197 confirmed compromised repositories within hours of the @antv wave.

sources
The Hacker News: Mini Shai-Hulud Worm Compromises TanStack, Mistral AI, Guardrails AI & More PackagesSnyk: Mini Shai-Hulud Hits AntV, 300+ Malicious npm Packages Published via Compromised Maintainer AccountThe Hacker News: Mini Shai-Hulud Pushes Malicious AntV npm Packages via Compromised Maintainer AccountTenable: Mini Shai-Hulud Supply Chain Attack CVE-2026-45321 FAQ
tags

2026 · april · 25

[critical] CVE-2026-33032

nginx-ui MCP Endpoint Unauthenticated RCE

Pluto Security disclosed a critical (CVSS 9.8) vulnerability in nginx-ui's Model Context Protocol implementation. The MCP integration split traffic across two HTTP endpoints. /mcp handles session establishment and was correctly gated by an IP whitelist and auth middleware. /mcp_message handles tool invocation, including configuration writes and server restart, and shipped with no authentication at all. The default IP whitelist is empty, so the unauthenticated endpoint accepted connections from any address. Shodan turned up over 2,600 publicly exposed nginx-ui instances on the default port 9000. Pluto disclosed in early March 2026, v2.3.4 fixed it, and Recorded Future later listed the CVE among 31 vulnerabilities actively exploited by threat actors in March 2026.

commentary
One MCP endpoint had IP allow-listing and authentication middleware. The other was the one that actually mattered, and it shipped without either. Same project, same PR, same review. The mental model under which /mcp_message doesn't need auth because /mcp already had it is the same one that puts a screen lock on the front camera only.
impact

Unauthenticated remote modification of NGINX configuration, server restart, traffic interception, and administrator credential harvesting. Confirmed exploitation in the wild.

sources
Endor Labs: CVE-2026-33032, nginx-ui Unauthenticated MCP EndpointDark Reading: Critical MCP Integration Flaw Puts NGINX at RiskThe Hacker News: Actively Exploited nginx-ui Flaw (CVE-2026-33032) Enables Full Nginx Server Takeover
tags

2026 · april · 15

[critical] CVE-2026-30623

Anthropic MCP SDK STDIO Command Injection (Declined to Patch)

OX Security disclosed a systemic command-injection vulnerability in Anthropic's official MCP SDKs across Python, TypeScript, Java, and Rust. The STDIO transport invokes a configured command string through the OS shell unconditionally. If the intended MCP binary doesn't exist, the shell still executes whatever command was supplied. OX identified four distinct exploitation families all tracing back to the same root cause, affecting more than 7,000 publicly accessible servers and 150 million package downloads, with an estimated 200,000 vulnerable instances across the ecosystem. Anthropic acknowledged the behavior, declined to modify the protocol, and updated its security guidance to advise that STDIO adapters be "used with caution." The company characterized the existing design as a secure default with sanitization being the developer's responsibility. Downstream CVEs already cluster around the same root cause: CVE-2026-22252 (LibreChat), CVE-2026-22688 (WeKnora), CVE-2025-54994 (@akoskm/create-mcp-server-stdio).

critical vulnerability disclosure | expected behavior, by design
EX.Acritical vulnerability disclosure | expected behavior, by design
commentary
"Sanitization is the developer's responsibility" is a fine policy for printf("%s"). It is a less fine policy for a protocol whose entire pitch is that you can wire up a command string from a config file and have a language model decide when to invoke it. The number of those 200,000 deployers who have read the updated security policy is fewer than 200,000.
impact

Arbitrary OS command execution on hosts running vulnerable MCP servers, with no protocol-level fix forthcoming. Every implementer is now responsible for sanitizing input that the SDK explicitly hands to a shell.

sources
OX Security: MCP STDIO Command Injection, Full Vulnerability AdvisoryThe Hacker News: Anthropic MCP Design Vulnerability Enables RCE, Threatening AI Supply ChainThe Register: MCP 'design flaw' puts 200k servers at risk
tags

2026 · march · 16

[informational] no CVE assigned

Perplexity Ditches MCP

At its core, the article argues that MCP is too token-hungry to be practical at production scale, with tool definitions consuming the majority of context before any user request is even processed. Several major companies are independently abandoning it in favor of lighter-weight alternatives like traditional APIs and CLIs.

everyone who said MCP would be the universal protocol
EX.Aeveryone who said MCP would be the universal protocol
commentary
"Universal AI protocol" was always going to mean "burn 72% of your context window on tool definitions you'll never use," but I appreciate that we collectively had to spend a year discovering it.
impact

MCP's "universal AI protocol" vision is effectively dead for production use cases, surviving only as a niche tool for desktop/IDE integrations.

sources
Perplexity Ditches MCP: 72% Context Waste Kills Protocol
tags

2026 · february · 18

[critical] no CVE assigned

ContextCrush Flaw in Context7 MCP Server

Noma Labs discovered the ContextCrush vulnerability in Context7, a registry that delivers coding documentation to AI assistants via an MCP server. Attackers manipulated the platform's Custom Rules feature to plant malicious instructions. When an AI coding assistant (like Cursor or Windsurf) queried the documentation, it ingested the poisoned rules via the trusted MCP channel and autonomously executed harmful actions, such as stealing .env files.

the documentation registry's threat model
EX.Athe documentation registry's threat model
commentary
Imagine trusting an unauthenticated third-party documentation registry to autonomously execute commands in your dev environment. Couldn't be me. Was probably you.
impact

Widespread credential theft and data exfiltration via third-party documentation poisoning.

sources
Noma Security Blog: ContextCrush Vulnerability
tags

2026 · january · 21

[critical] no CVE assigned

Microsoft MarkItDown MCP Server SSRF

BlueRock researchers discovered a severe Server-Side Request Forgery (SSRF) flaw in the MCP server built for Microsoft's MarkItDown file converter. The server failed to validate URIs, allowing attackers to force the AI agent to query local cloud metadata endpoints (e.g., AWS 169.254.169.254). Subsequent scans revealed over 36% of public MCP servers contained similar SSRF vulnerabilities.

it looks like you're trying to leak AWS metadata. need help with that?
EX.Ait looks like you're trying to leak AWS metadata. need help with that?
commentary
36% of public MCP servers shipped with the same vulnerability class. The author of that statistic is being polite. The actionable number is: don't run anything you didn't read yourself.
impact

Exposure of AWS instance metadata, leading to the extraction of access keys, secret keys, and session tokens.

sources
BlueRock: MCP FURI - Microsoft MarkItDown Vulnerabilities
tags

2026 · january · 20

[high] CVE-2025-68143, CVE-2025-68144, CVE-2025-68145

Anthropic Git MCP Server RCE

Cyata researchers disclosed a chain of critical vulnerabilities in Anthropic's official Git MCP server. The flaws included an unrestricted git_init function, a path-validation bypass, and an argument-injection vulnerability. Attackers could chain these to turn arbitrary directories into Git repositories, overwrite system files, and achieve RCE via malicious .git/config manipulation.

git_init · path validator · arg parser, on disclosure day
EX.Agit_init · path validator · arg parser, on disclosure day
commentary
CVSS 8.1 in the official server. Not a dodgy third-party one. The shipped-by-the-company-named-after-the-protocol one.
impact

High-severity (CVSS 8.1) arbitrary file deletion, file overwriting, and RCE.

sources
The Hacker News: Three Flaws in Anthropic MCP Git Server
tags

2025 · july · 15

[high] CVE-2025-53109, CVE-2025-53110

Anthropic Filesystem MCP Sandbox Escape

Cymulate disclosed two high-severity defects in Anthropic's official Filesystem MCP Server. Attackers exploiting these flaws could list, read, or write to directories outside the allowed scope. If the server was run as a privileged user, this could lead to full sandbox escape, manipulation of critical system files, and privilege escalation.

commentary
"Allowed scope" was never going to survive contact with a model that's also been instructed to be helpful, accommodating, and never refuse a tool call.
impact

Unauthorized host filesystem manipulation and sandbox escape.

sources
Cymulate Blog: EscapeRoute - Anthropic MCP Vulnerabilities
tags

2025 · july · 10

[critical] CVE-2025-49596

Anthropic MCP Inspector Local Network RCE

Oligo Security and Tenable discovered a critical flaw (CVSS 9.4) in the Anthropic MCP Inspector tool. Because the interactive web UI launched via localhost lacked out-of-the-box authentication, an attacker on the same local network could inject malicious commands (NeighborJacking) or use cross-site attacks to achieve RCE.

me reading "localhost doesn't need auth" in 2025
EX.Ame reading "localhost doesn't need auth" in 2025
commentary
The default debugging tool from the maintainers of the protocol shipped without authentication. The threat model, quoted: "it's localhost." Localhost has been a hostile network since the invention of coffee shop Wi-Fi.
impact

Arbitrary code execution via local network hijacking.

sources
Oligo Security: Critical RCE Vulnerability in Anthropic MCP Inspector
tags

2025 · july · 09

[critical] CVE-2025-6514

mcp-remote OS Command Injection

The JFrog Security Research team discovered a critical vulnerability (CVSS 9.6) in mcp-remote, a popular proxy tool (over 437,000 downloads) used to connect local LLM hosts to remote MCP servers. If a user connected to a malicious remote MCP server, the server could send a booby-trapped authorization_endpoint URL that achieved full arbitrary OS command execution on the user's local machine.

commentary
437,000 downloads. A booby-trapped authorization_endpoint URL. Full RCE on the client. The MCP supply chain isn't a chain so much as a single rusted carabiner.
impact

Full system compromise and RCE on the client OS.

sources
JFrog: CVE-2025-6514 - Critical mcp-remote RCE Vulnerability
tags

2025 · june · 18

[high] no CVE assigned

Asana MCP Server Cross-Tenant Data Leak

Work management platform Asana had to temporarily disable its experimental MCP feature after discovering a logic flaw in its implementation. The misconfiguration failed to isolate cross-tenant data, meaning AI agents could potentially access customer data, projects, and tasks belonging to entirely different organizations.

impact

Unauthorized exposure of customer data to other organizations.

sources
UpGuard: Asana Discloses Data Exposure Bug in MCP Server
tags

2025 · june · 12

[high] no CVE assigned

LangSmith AgentSmith Prompt Hub Flaw

A severe vulnerability (CVSS 8.8) dubbed AgentSmith was disclosed in LangSmith's Prompt Hub. The flaw exposed AI agents using MCP to data theft and manipulation, allowing malicious agents to hijack LLM responses and steal user API keys.

commentary
Naming your vulnerability after the bad guy from The Matrix doesn't make it cooler than "forgot to scope an API key." But points for effort.
impact

Credential theft and LLM manipulation.

sources
Hackread: AgentSmith Flaw in LangSmith's Prompt Hub
tags

2025 · may · 26

[critical] no CVE assigned

GitHub MCP Prompt Injection Data Heist

Security researchers at Invariant Labs discovered a critical vulnerability affecting the official GitHub MCP integration. Attackers could create maliciously crafted issues in public repositories. When a developer asked their AI assistant to check open issues, the AI would read the malicious payload, get prompt-injected, and autonomously use the developer's credentials to exfiltrate private repository data (such as source code and salary information) into public pull requests.

every dev reading this and quietly revoking their AI assistant's repo scope
EX.Aevery dev reading this and quietly revoking their AI assistant's repo scope
commentary
The AI was helpfully reading the issue. The issue was helpfully telling it to leak code. There's no patch for "documentation can be lies." That's the entire reading-the-internet problem condensed into one CVE.
impact

Exfiltration of private repository data including source code and sensitive information.

sources
Invariant Labs: MCP GitHub Vulnerability
tags
no incidents match this filter. lucky you.