Experts Identify Holes in the Popular Model Context Protocol For Attackers to Access Data

The ability to easily connect large language models to tools and data sources has made Model Context Protocol popular among developers, but it also opens security holes, research shows.

What’s new: Golan Yosef at Pynt, an API security firm, analyzed security risks of Model Context Protocol (MCP) servers. The work shows that when systems use multiple MCP servers, vulnerabilities rise rapidly.

How it works: MCP’s flexible, modular, dynamic design is a double-edged sword. It supports open-ended agentic interactions, but those very qualities make MCP servers vulnerable to exploitation. The study assessed security risks across more than 280 popular servers.

For each server, Yosef evaluated two properties: whether it would process inputs from unsafe sources that can’t be fully verified or controlled (such as emails, chats, Slack messages, or scraped web pages) and whether it allowed powerful actions like code execution, file access, or calling APIs. He deemed servers that had both traits to be high-risk, since it could execute an attacker’s instructions without a user’s approval.
He estimated how risk increases as systems use greater numbers of servers. (He didn’t disclose the formula or method used to derive the estimates.)
He validated his risk model by attacking real-world MCP setups, including cases where unsafe input from one server caused another server to execute commands automatically.

Results: The study identified widespread patterns of vulnerability that compound as systems add MCP servers.

Of the servers tested, 72 percent of servers tested exposed at least one sensitive capability to attackers, and 9 percent of servers tested were deemed high-risk.
13 percent of servers accepted inputs from unsafe sources, enabling attackers without direct access to their targets to deliver malicious text (HTML, emails, Markdown) that servers downstream might interpret as code.
Risk of an exploitable configuration compounded rapidly with the first few servers added before flattening. Combining 2 servers created 36 percent chance of a vulnerable configuration, Combining 3 reached 52 percent chance, 5 servers exceeded 71 percent change, and 10 servers approached 92 percent chance.
The study documents real-world examples in which attackers executed privileged actions. In one case, a plug-in web scraper fetched HTML, supplied by an attacker, that a Markdown parser interpreted as commands, which a shell plug-in duly executed.

Behind the news: Anthropic launched MCP in November 2024, and OpenAI and Microsoft adopted it by spring 2025. Despite its lax security, the protocol now connects to over 6,000 servers. Authentication remained optional until March, when OAuth 2.1 authorization frameworks were added. The change prevents unauthorized access to MCP servers, but it doesn’t prevent malicious or malformed data from flowing between servers and triggering unintended actions.

Why it matters: Securing individual MCP servers is important but not sufficient, because vulnerabilities can emerge from interactions among servers. Adding more servers can make a system more agentic, but it also compounds vulnerabilities. The study suggests that developers mitigate this “compositional risk” by using only the servers they need, constraining what each one is allowed to do, and testing transfers of data among them.

We’re thinking: Securing individual components is a tough task in its own right, but systems of MCP components must be secured at the system level.