The Model Context Protocol needed its own threat taxonomy. Now it has one.
OWASP -- the organization behind the Web Application Top 10 that shaped a generation of security engineering -- has published the MCP Top 10, a structured framework for the most critical security risks in AI agent tool integration. The project, led by Vandana Verma Sehgal, is currently in beta under a CC BY-NC-SA 4.0 license, and it addresses a gap that has been widening for months: the absence of a shared vocabulary for reasoning about MCP security.
This is not a theoretical exercise. Over 30 CVEs have been filed against MCP implementations in the past 60 days. Research consistently shows that tool poisoning attacks succeed at alarming rates -- 84.2% with auto-approval enabled, according to recent benchmarks. An audit of 17 popular MCP servers found an average security score of 34 out of 100, with 100% lacking permission declarations. The threat landscape has outpaced the defensive toolkit, and OWASP’s framework is an attempt to bring structure to the response.
Here is what each category covers, why it matters, and what practitioners should do about it.
The Ten Categories
MCP01: Token Mismanagement and Secret Exposure
Credentials that end up where they should not be. Hard-coded API keys in MCP server configurations, long-lived tokens without rotation policies, and secrets persisted in model memory or protocol debug logs.
What to do: Implement short-lived, scoped credentials. Never store secrets in tool descriptions or model context.
MCP02: Privilege Escalation via Scope Creep
Permissions that were appropriate during setup expand over time. The cumulative effect is an agent that can modify your entire filesystem.
What to do: Enforce least-privilege by default. Implement automated scope expiry.
MCP03: Tool Poisoning
Tool poisoning exploits the assumption that tool descriptions are trustworthy. A malicious description can embed hidden instructions that manipulate agent behavior. Invariant Labs showed a poisoned add tool containing hidden <IMPORTANT> tags that exfiltrated SSH keys. Tool spoofing achieves 100% success rate in first-match resolution mode.
Three variants: direct poisoning, tool shadowing, and rug pulls.
What to do: Implement tool pinning. Never auto-approve tool invocations in production. Use schema quarantine.
MCP04: Supply Chain Attacks
Classic supply chain vectors -- typosquatting, dependency confusion -- but payloads execute inside AI agents with elevated permissions.
What to do: Pin MCP server versions. Verify package signatures. Monitor registries.
MCP05: Command Injection
The MCP equivalent of SQL injection. The Clinejection attack demonstrated how a malicious GitHub issue title could trigger code execution.
What to do: Validate and sanitize all input. Use sandboxed execution environments.
MCP06: Intent Flow Subversion
Malicious instructions embedded in tool context hijack the agent’s decision-making.
What to do: Separate system instructions from retrieved context. Use chain-of-thought logging.
MCP07: Insufficient Authentication
38% of 500+ scanned MCP servers lack any form of authentication.
What to do: Use OAuth 2.1 as specified in MCP. Enforce RBAC at the tool level.
MCP08: Lack of Audit and Telemetry
Without logging, unauthorized actions go undetected. Most MCP clients provide minimal logging.
What to do: Log all tool invocations with full parameters and responses. Enable real-time alerting.
MCP09: Shadow MCP Servers
Unauthorized deployments outside security governance. Shadow servers have the same trust level as approved ones.
What to do: Centralized MCP deployment governance. Discover and inventory all instances.
MCP10: Context Injection and Over-Sharing
Sensitive information from one task leaks to another through shared context windows.
What to do: Isolated context windows per user and per task. Enforce context expiration.
What the Numbers Say
- 30+ CVEs in 60 days against MCP implementations
- 84.2% success rate for tool poisoning with auto-approval
- 38% of 500+ servers lack authentication
- 34/100 average security score across 17 audited servers
- 100% tool spoofing success in first-match resolution
- FastMCP exceeds 1M daily downloads
Emerging Defense Patterns
Schema Quarantine and Tool Pinning -- Verify tool definitions before they reach the agent. Invariant Labs' mcp-scan detects poisoning, rug pulls, and cross-origin escalations. MCPProxy combines BM25-based tool discovery with quarantine capabilities.
Runtime Behavioral Monitoring -- Detect behavioral drift with tools like Golf Scanner and AgentArmor's 8-layer security framework.
Registry Governance -- Signed packages, provenance tracking, automated vulnerability scanning.
Context Isolation -- Isolated context windows per task, strict permission boundaries per tool.
Practical Response Plan
This week: Inventory MCP connections. Disable auto-approval. Scan configs for secrets.
This month: Implement tool pinning. Add auth to all connections. Enable audit logging.
This quarter: Adopt a gateway architecture. Implement context isolation. Establish MCP governance.
The full framework is available at owasp.org/www-project-mcp-top-10.
Originally published on mcpblog.dev
Top comments (0)