OWASP Just Published an MCP Top 10. Here's What It Means.
When OWASP publishes a Top 10 for something, it means the security community has decided that thing has enough real-world risk to warrant a formal taxonomy. They did it for web applications. They did it for LLMs. And now they've done it for the Model Context Protocol.
The OWASP MCP Top 10 is not a prediction about what might go wrong. It's a catalogue of what's already happening.
The Numbers That Forced the Conversation
Between January and February 2026, security researchers filed over 30 CVEs targeting MCP servers, clients, and infrastructure. Not exotic zero-days — basic security failures. Missing input validation. Absent authentication. Shell injection through unsanitised user input.
The breakdown, reported across multiple security publications:
- 43% were exec/shell injection — MCP servers passing user input directly to shell commands
- 20% were tooling infrastructure flaws — bugs in MCP clients, inspectors, and proxy tools
- 13% were authentication bypass — servers with no auth at all, or auth implemented incorrectly
One vulnerability, in a package downloaded nearly half a million times, scored CVSS 9.6 — remote code execution. CVE-2026-27896 hit the official MCP Go SDK. CVE-2026-26118 exposed Azure's MCP Server to server-side request forgery at CVSS 8.8.
These aren't theoretical. These are in packages that developers installed last week.
The OWASP MCP Top 10
Here's what OWASP identified as the ten most critical risk categories. If you're running MCP servers — and if your AI agent uses tools, you almost certainly are — each of these applies to you.
MCP-01: Token Mismanagement & Secret Exposure
Hard-coded credentials, long-lived tokens, secrets stored in model memory or protocol logs. When your agent sends a tool call, it includes whatever context it thinks is relevant. If that context includes a database password or an API key, it goes to the MCP server in plaintext.
This isn't a bug in MCP. It's how MCP works — the protocol transmits context, and agents are not selective about what they include.
MCP-02: Privilege Escalation
MCP servers often start with broad permissions because it's easier. A file-system MCP server that can read any file. A GitHub server with a personal access token scoped to every repo. Permissions expand over time and rarely contract.
Palo Alto Unit 42 found that with 5 connected MCP servers, a single compromised server achieves a 78.3% attack success rate — meaning it can successfully manipulate the agent into misusing other servers' tools.
MCP-03: Tool Poisoning
An MCP tool declares what it does via a JSON schema. The agent reads that schema and decides to trust it. But schemas are just text, and text can lie.
CrowdStrike documented how attackers manipulate tool descriptions to inject instructions that alter agent behaviour. A tool that claims to "search files" but whose description includes hidden instructions to first exfiltrate the contents of ~/.ssh/. The agent follows the instructions because it treats tool descriptions as authoritative.
This category also includes rug pulls — tools that behave legitimately for weeks, gain adoption, then push a malicious update. If your agent auto-discovers tools from a registry, it has no way to detect this.
MCP-04: Supply Chain Vulnerabilities
MCP ecosystems depend on open-source packages, connectors, and model-side plugins. The same supply chain risks that hit npm and PyPI now apply to MCP server registries. A compromised MCP server package gives the attacker a position between every AI agent and every tool that server provides.
MCP-07: Inadequate Authentication & Authorisation
Many MCP servers ship with no authentication. Some implement it incorrectly. The Azure MCP Server SSRF (CVE-2026-26118) exploited OAuth proxy trust — the authentication existed, but the authorisation boundaries didn't.
MCP-09: Shadow MCP Servers
Unapproved MCP server deployments that operate outside organisational security governance. A developer installs a community MCP server for convenience. It works. Nobody audits it. It has access to everything the agent has access to.
MCP-10: Context Over-sharing
When context windows are shared, persistent, or insufficiently scoped, sensitive information from one task or user leaks to another. An agent that remembers a database query result containing customer PII, then includes that PII in a subsequent tool call to an unrelated service.
Why This Matters Now
The MCP ecosystem grew fast. According to Endor Labs, the root causes behind the 30+ CVEs are the same vulnerabilities that AppSec teams have been fighting for twenty years — command injection, path traversal, SSRF. They're just showing up in a new context where the attack surface is an AI agent that follows instructions.
Microsoft published a guide on detecting prompt abuse in AI tools on March 12. OWASP released a cheat sheet for securely using third-party MCP servers. The security community is treating this as urgent because it is.
Every new MCP server you connect expands your trust boundary. Every tool call is a potential data exfiltration path. Every tool response is a potential prompt injection vector.
What You Can Actually Do
I won't pretend there's a simple fix. But there are concrete steps, most of them directly mapped to the OWASP categories:
For MCP-01 (Token Mismanagement): Don't give your agent long-lived tokens with broad scope. Use short-lived tokens, scope them to the minimum required permissions, and rotate them. If your MCP setup requires a personal access token, that's a risk you should quantify.
For MCP-03 (Tool Poisoning): Don't auto-discover tools from public registries without review. Pin tool versions. Read the tool descriptions your agent is consuming — they're part of the attack surface.
For MCP-09 (Shadow Servers): Know what MCP servers your team is running. An MCP gateway or hub gives you a single point of visibility — every tool call, every server, logged in one place.
For MCP-10 (Context Over-sharing): Scan what your agent sends to tools. If it's including credentials, PII, or internal data in tool call payloads, you need to catch that before it reaches the server. This is DLP for MCP — the same concept as email DLP, applied to a different transport layer.
Where We Fit
mistaike.ai is an MCP gateway with DLP scanning. It sits between your agent and every MCP server, scanning payloads in both directions. We catch secrets and PII going out (MCP-01, MCP-10), prompt injection coming back in (MCP-03), and log every tool call for audit (MCP-08, MCP-09).
I'm not going to claim we solve all ten categories. We don't. Privilege escalation (MCP-02) is a configuration problem at the token level. Supply chain attacks (MCP-04) need registry-level solutions. But for the categories that involve scanning what flows through MCP — secrets, PII, prompt injection, destructive commands — that's what the pipeline does.
The MCP Hub — routing all your tools through one endpoint with audit logging — is free. DLP scanning is part of the paid tier.
The Honest Part
OWASP publishing a Top 10 for MCP is a signal. It means the security community has enough evidence, enough incidents, and enough CVEs to justify formal classification. That's not a marketing opportunity. It's a warning.
If you're using MCP today — and if you're using Claude Code, Cursor, Windsurf, ChatGPT with tool use, or Gemini CLI, you are — take thirty minutes to audit what your agent has access to. Check what tokens you've handed out. Check what MCP servers are running. Check whether anyone is logging what goes through them.
That's the starting point. The OWASP MCP Top 10 is the map. The 30+ CVEs are the proof that people are already walking the territory.
Sources: OWASP MCP Top 10, Endor Labs, CrowdStrike, Palo Alto Unit 42, Microsoft Security Blog, TheHackerWire on CVE-2026-26118, OWASP MCP Security Cheat Sheet. All statistics cited from published sources as of March 2026.
Originally published on mistaike.ai
Top comments (0)