DEV Community

Cover image for Your AI Agent Has Root Access — Here's What Nobody Tells You About MCP Security
Aerostack
Aerostack

Posted on

Your AI Agent Has Root Access — Here's What Nobody Tells You About MCP Security

#ai #security #cybersecurity #cloudflarechallenge

I connected a Postgres MCP to our Discord bot. It was supposed to answer questions about our data — "how many users signed up this week?" kind of stuff.

Then I looked at tools/list:

[
  { "name": "query", "description": "Execute a read-only SQL query" },
  { "name": "insert_row", "description": "Insert a row into a table" },
  { "name": "update_rows", "description": "Update rows in a table" },
  { "name": "delete_rows", "description": "Delete rows matching a condition" },
  { "name": "drop_table", "description": "Drop a table from the database" },
  { "name": "alter_table", "description": "Alter table schema" }
]
Enter fullscreen mode Exit fullscreen mode

My "read-only data assistant" could DROP TABLE users. And there was no way to tell it "you can only use query."

That's when I started looking at MCP security in 2026. It's not great.

The Numbers

A scan of 1,808 public MCP servers found:

  • 66% had security findings
  • 76 published skills contained confirmed malicious code
  • 30 CVEs filed against MCP implementations in 60 days
  • 38% of servers lack authentication entirely

These aren't theoretical risks. These are published servers that developers are connecting to Claude Desktop and Cursor right now.

The MCP Attack Surface — 4 vectors, active exploitation, no built-in defenses

The Protocol Has No Permission Model

MCP itself has zero access control. The spec defines tools/list (what tools exist) and tools/call (execute a tool). That's it. No scopes, no roles, no read/write distinction.

Compare this to OAuth:

OAuth:  scope=read_messages,send_messages (granular)
MCP:    here are 25 tools, call any of them (all-or-nothing)
Enter fullscreen mode Exit fullscreen mode

Claude Desktop, Cursor, Windsurf, ChatGPT — they all show an "Allow" or "Deny" prompt. That's it. You can't say "allow list_channels but deny delete_channel."

The Security Gap — what existing MCP clients give you for security controls

The Real Attack Path

It's not sophisticated. No zero-day needed.

1. Agent browses a web page (Firecrawl, Playwright, fetch)
2. Page contains a prompt injection in a hidden div
3. Agent interprets it as instructions
4. Agent calls a destructive tool it has access to
5. Your data is gone
Enter fullscreen mode Exit fullscreen mode

This isn't hypothetical. Prompt injection in web content is well-documented. The only question is whether your agent has access to dangerous tools when it happens.

What "Secure MCP" Actually Looks Like

After dealing with this ourselves, here's what we built at Aerostack:

Per-Tool Access Control

Instead of all-or-nothing, the workspace owner toggles individual tools:

Per-Tool Access Control — every MCP tool gets its own permission toggle

The agent literally doesn't know drop_table exists. It's not in tools/list. It can't call what it can't see.

Gateway Enforcement

Blocked tools never reach the MCP server. The gateway intercepts the request before it's forwarded:

Gateway Enforcement — blocked tools never reach the MCP server

Secret Isolation

Your Stripe API key should never touch your Slack MCP. With workspace-level secret management:

  • Secrets are AES-GCM encrypted at rest
  • Injected as X-Mcp-Secret-* headers at runtime
  • Each MCP only receives its own secrets
  • The LLM never sees the raw key values

Audit Trail

Every tools/call is logged:

{
  "tool": "slack__post_message",
  "caller": "mwt_abc123",
  "timestamp": "2026-03-28T10:15:00Z",
  "args": { "channel": "#general", "text": "..." },
  "status": "success",
  "duration_ms": 42
}
Enter fullscreen mode Exit fullscreen mode

When something goes wrong, you know exactly what happened, when, and who triggered it.

Rate Limiting

120 requests/minute per token. An agent caught in a loop doesn't burn through your API quota.

What You Should Do Today

If you're using MCP servers with Claude, Cursor, or any AI agent:

  1. Audit your tool list — run tools/list on every connected MCP. Look for destructive tools you don't need.

  2. Use read-only credentials — if your MCP connects to a database, use a read-only database user. Don't give it write access if you don't need it.

  3. Don't connect MCPs you haven't reviewed — that community MCP with 3 GitHub stars? Read the source first.

  4. Use a gateway — instead of connecting MCPs directly to your AI client, put a gateway in front that enforces tool-level permissions. (We built one that runs on Cloudflare's edge.)

The Pattern Is Familiar

Early AWS: everyone used root keys. Then IAM happened.

Early OAuth: apps got full access. Then scopes happened.

MCP in 2026: agents get all tools. The permission layer hasn't shipped yet.

We're in the "root keys" era of AI agents. The question isn't whether something will go wrong — it's whether you'll have the controls in place when it does.

Aerostack is a developer platform for building AI-native backends on Cloudflare's edge. 100+ hosted MCP servers, per-tool access control, encrypted secrets. See the full security model →

Top comments (0)