The OWASP Foundation released the MCP Top 10 in April 2026. It's the definitive risk framework for Model Context Protocol—the protocol connecting AI agents to tools.
Schema poisoning. Tool output tampering. Sensitive data leakage. These aren't theoretical. Langflow CVE‑2026‑33017 proved that MCP attacks are active and fast.
ORBIT was built with these threats in mind. Below is a complete mapping of every OWASP MCP risk to ORBIT's mitigation.
📊 OWASP MCP Top 10 – ORBIT Compliance Matrix
| Risk | Description | ORBIT Mitigation |
|---|---|---|
| MCP‑01: Schema Poisoning | Malicious tool definitions trick agents | Strict JSON Schema validation in mcp_gateway.py
|
| MCP‑02: Tool Output Tampering | Modified tool responses inject commands | SHA‑256 hashing of all outputs in audit log |
| MCP‑03: Prompt Injection via Tools | Tool descriptions carry malicious prompts | Description sanitization + length limits |
| MCP‑04: Excessive Tool Exposure | Agents see more tools than needed | Capability Governor hides disallowed tools |
| MCP‑05: Sensitive Data Leakage | Tools return secrets (API keys, tokens) | Real‑time secret detection & redaction |
| MCP‑06: Insecure Communication | Unencrypted MCP messages | Local‑first design (all internal); TLS for remote |
| MCP‑07: Rate Limiting Bypass | DoS via flooding | Per‑tool rate limiter (1 req/sec) |
| MCP‑08: Insecure Deserialization | Malicious JSON payloads | Safe json parsing only, no pickle |
| MCP‑09: Excessive Output Size | Memory exhaustion via huge responses | Configurable max_output_size per tool (default 10 MB) |
| MCP‑10: Unverified Tool Sources | Untrusted tools execute without checks | OPA/Rego explicit allow lists per agent |
🔍 Three Highlights
1. Schema Validation (MCP‑01)
Before any tool runs, ORBIT validates its definition against a strict JSON schema. The Langflow exploit relied on a missing input_schema field—ORBIT rejects that instantly.
2. Secret Redaction (MCP‑05)
The Lovable incident exposed API keys because no one sanitized outputs. ORBIT's detect_secrets.py scans for 9 distinct secret patterns and redacts them before the agent sees the output.
3. Stateful Budgets (Beyond OWASP)
OWASP doesn't cover budget exhaustion—but it's a critical risk. ORBIT's cumulative 24h/7d/30d budget enforcement stops runaway agents from draining credits, which is a gap Microsoft AGT still leaves open (Issue #42).
🚀 Get Started
ORBIT is open‑source, self‑hosted, and OWASP‑compliant out of the box.
👉 GitHub: highriseliving777/orbit
🎥 Demo (90 sec): Watch on YouTube
📄 Full compliance matrix: OWASP_MCP_COMPLIANCE.md
Govern your agents before they govern you.
Previously: How ORBIT Solves the Langflow CVE · Stateful Budgets vs Microsoft AGT · Lovable Data Exposure Case Study
Top comments (0)