The Model Context Protocol (MCP) has become the universal connector for AI agents. Anthropic built it. OpenAI, Google, Microsoft, LangChain, CrewAI, LlamaIndex, Vercel, and Pydantic AI all adopted it. Over 600,000 GitHub stars of agent infrastructure run on MCP.
But MCP has no identity layer. No message signing. No tamper detection. And the consequences are now documented in real CVEs and real data breaches.
Here are 9 confirmed security incidents that have already happened.
1. mcp-remote Remote Code Execution (CVE-2025-6514, CVSS 9.6)
JFrog discovered that a malicious MCP server could send a crafted OAuth authorization_endpoint URL that mcp-remote passed straight into the system shell. Result: full remote code execution on the client machine.
Impact: 437,000+ downloads affected. Every developer using mcp-remote versions 0.0.5 through 0.1.15 was vulnerable.
Source: JFrog Research
2. Anthropic MCP Inspector RCE (CVE-2025-49596, CVSS 9.4)
Anthropic's own MCP Inspector developer tool allowed unauthenticated remote code execution via its inspector-proxy architecture. An attacker could get arbitrary commands executed on a developer's machine just by having them visit a malicious website while the inspector was running.
Impact: 38,000 weekly downloads, 4,000+ GitHub stars. Filesystem, API keys, and environment secrets exposed.
Source: Oligo Security
3. Anthropic mcp-server-git Chain (3 CVEs)
Three chained vulnerabilities in Anthropic's own git server: CVE-2025-68145 (path validation bypass), CVE-2025-68143 (unrestricted git_init turns ~/.ssh into a git repo), and CVE-2025-68144 (argument injection in git_diff). Combined, they achieve full remote code execution via malicious .git/config files.
Impact: Reported to Anthropic in June. Fixed in December. Six months of exposure.
Source: The Hacker News
4. Smithery.ai Breach -- 3,000+ Servers Compromised
A path traversal vulnerability in Smithery.ai's MCP server hosting exposed a Fly.io token with access to 3,243 MCP server apps. Researchers confirmed root access via the id command and the ability to sniff network traffic.
Impact: 3,000+ servers, thousands of API keys, root access confirmed.
Source: GitGuardian
5. Asana Cross-Tenant Data Leak
Asana's MCP server had a flawed tenant isolation check that let users access project data, tasks, comments, and files from other organisations. The bug was live for 34 days before discovery.
Impact: ~1,000 customers notified. Cross-organisation data exposed for over a month.
Source: BleepingComputer
6. Supabase/Cursor SQL Exfiltration
Supabase's Cursor agent ran with the full service_role key, bypassing all Row-Level Security. Attackers embedded SQL instructions in support tickets. The agent dutifully executed them, exfiltrating integration tokens and user data.
Impact: Entire SQL databases readable. Integration tokens stolen via prompt injection.
Source: Simon Willison
7. postmark-mcp Backdoor -- First Malicious MCP Server in the Wild
A fake npm package called postmark-mcp silently BCC'd every outgoing email to an attacker-controlled address. It passed as legitimate for 15 versions before version 1.0.16 injected a one-line backdoor.
Impact: Password resets, invoices, customer data, and internal correspondence stolen. 1,643 downloads.
Source: Snyk
8. GitHub MCP Private Repository Leak
Invariant Labs showed that a malicious public GitHub issue could hijack an AI assistant and make it pull data from private repos. The compromised agent exfiltrated private repository contents, salary details, and personal plans into a public pull request.
Impact: 20,200+ stars on the GitHub MCP server. Private repos exposed.
Source: Invariant Labs
9. WhatsApp Message History Exfiltration
Invariant Labs demonstrated that a malicious MCP server could steal an entire WhatsApp message history via tool poisoning. End-to-end encryption was bypassed because the agent operates on post-decryption data.
Impact: Complete message history exfiltrated without breaking encryption.
Source: Invariant Labs
The Numbers
- 437,000 downloads of vulnerable mcp-remote
- 3,243 MCP servers compromised in Smithery breach
- 1,000 Asana customers exposed across organisations
- 82% of MCP servers have path traversal vulnerabilities (Endor Labs, 2,614 implementations)
- 72.8% tool poisoning success rate against o1-mini (MCPTox benchmark, 45 real servers)
- 6 months Anthropic took to fix their own git server CVEs
- 34 days Asana cross-tenant bug was live before discovery
The Root Cause
Every incident traces back to the same missing primitives:
- No identity: Any server can impersonate any other. No passports, no verification.
- No message signing: Messages can be tampered with in transit. No integrity checks.
- No tool integrity: Tool definitions can change silently. No signatures to detect poisoning.
- No replay protection: Messages can be replayed. No nonces, no timestamp windows.
MCPS: The Fix
We built MCPS (MCP Secure) -- a cryptographic security layer that adds identity, signing, tool integrity, and replay protection to MCP without modifying the core protocol.
On 14 March 2026, we submitted the full 43-page specification to the IETF as an Internet-Draft:
MCPS adds:
- Agent Passports -- ECDSA P-256 signed identity credentials
- Per-Message Signing -- Every JSON-RPC message wrapped in a signed envelope
- Tool Integrity -- Signed tool definitions prevent poisoning and rug pulls
- Replay Protection -- Nonce + timestamp window blocks replay attacks
- Trust Levels -- L0 (unsigned) through L4 (audited)
It mitigates 8 of the 10 OWASP MCP Top 10 risks.
Try It
- Interactive Playground (no install): agentsign.dev/playground
-
npm:
npm install mcp-secure(zero dependencies, 75 tests) -
PyPI:
pip install mcp-secure - GitHub: github.com/razashariff/mcps
- IETF Draft: datatracker.ietf.org/doc/draft-sharif-mcps-secure-mcp/
- OWASP MCP Top 10: owasp.org/www-project-mcp-top-10/
Raza Sharif
Founder, CyberSecAI Ltd
contact@agentsign.dev | agentsign.dev
Top comments (0)