Skip to content
.ca
sign in
Work being done in the backend.
4 minhigh

The Other Side of the MCP Threat Conversation

Model Context Protocol (MCP) servers introduce a new attack surface akin to AI-native APIs, exposing organizations to protocol-level attacks, injection vulnerabilities, and authorization bypasses. Because MCP tools often use permissive validation to accommodate LLM inputs and proactively broadcast their capabilities via plain-English descriptions, attackers can easily map business logic and exploit downstream systems or trigger resource exhaustion.

Conf:highAnalyzed:2026-05-05Google

Authors: Maxim Zavodchik, Segev Fogel, Noam Atias

LLMInjectionResource ExhaustionAPI SecurityMCP

Source:Akamai

Detection / HunterGoogle

What Happened

The Model Context Protocol (MCP) is a new standard that helps AI agents connect to external services, functioning much like an API. Organizations building these MCP servers are exposing them to direct attacks, such as data theft, unauthorized access, and system crashes. Because these servers are designed to be flexible for AI interactions, they often lack strict security checks, making them an easy target for hackers. Companies need to apply strong security rules, limit access, and monitor usage to prevent attackers from exploiting these AI connections.

Key Takeaways

  • Model Context Protocol (MCP) servers act as AI-native APIs and represent a direct attack surface, vulnerable to traditional application security risks.
  • Permissive validation designed to accommodate unpredictable LLM inputs significantly increases the risk of SQLi, command injection, and SSRF.
  • MCP's mandatory 'list/tools' and 'list/resources' capabilities inadvertently provide attackers with a searchable, plain-English map of the application's business logic.
  • High-volume agent traffic can cause Denial-of-Service (DoS) and rapid cost exhaustion, requiring identity-aware rate limits and budget controls.
  • MCP Resource Templates can be abused for path traversal and SSRF if URI parsing and authorization are weak.

Affected Systems

  • Model Context Protocol (MCP) Servers
  • AI Agents
  • LLM-integrated APIs

Attack Chain

Attackers directly target exposed MCP servers by enumerating capabilities using the mandatory list/tools and list/resources functions. They analyze the plain-English tool descriptions to map the application's business logic and identify sensitive endpoints. Attackers then send malformed JSON-RPC messages, oversized payloads, or crafted inputs to exploit permissive validation, leading to injection attacks (SQLi, SSRF) or resource exhaustion. Finally, attackers may abuse resource templates to perform path traversal or access cross-tenant data due to weak authorization controls.

Detection Availability

  • YARA Rules: No
  • Sigma Rules: No
  • Snort/Suricata Rules: No
  • KQL Queries: No
  • Splunk SPL Queries: No
  • EQL Queries: No
  • Other Detection Logic: No

The article focuses on architectural threat modeling and does not provide specific detection rules or queries.

Detection Engineering Assessment

EDR Visibility: Low — EDR solutions typically lack visibility into application-layer API/JSON-RPC traffic unless an exploit results in underlying OS command execution. Network Visibility: High — WAFs, API gateways, and network monitors can inspect JSON-RPC payloads, MCP traffic patterns, and URI structures for anomalies. Detection Difficulty: Moderate — Detecting MCP abuse requires parsing JSON-RPC traffic and distinguishing malicious payloads from the naturally unpredictable and high-volume behavior of legitimate AI agents.

Required Log Sources

  • WAF Logs
  • API Gateway Logs
  • Application Audit Logs

Hunting Hypotheses

HypothesisTelemetryATT&CK StageFP Risk
Attackers are enumerating MCP capabilities by repeatedly calling list/tools or list/resources from untrusted sources.API Gateway Logs / WAF LogsDiscoveryMedium
Attackers are attempting SSRF by injecting internal IP addresses or cloud metadata URIs into MCP fetch/crawl tools.Application Audit Logs / Network TrafficCredential Access / Lateral MovementLow
Attackers are attempting path traversal by manipulating MCP Resource Templates with directory traversal characters.WAF Logs / Application Audit LogsCollectionLow

Control Gaps

  • Lack of identity-aware rate limiting tailored for agent traffic
  • Permissive input validation designed to accommodate LLMs
  • Missing per-object authorization leading to BOLA/IDOR

Key Behavioral Indicators

  • High volume of parallel tool calls from a single identity
  • Malformed JSON-RPC messages or unexpected protocol version downgrades
  • Excessive error rates indicating probing of tool parameters

False Positive Assessment

  • Medium

Recommendations

Immediate Mitigation

  • Implement strict input validation and parameterization for all MCP tool arguments.
  • Enforce identity-aware rate limiting, per-session limits, and budget controls for agent traffic.

Infrastructure Hardening

  • Deploy WAF rules to inspect JSON-RPC payloads for malformed messages, oversized payloads, and injection attempts.
  • Restrict outbound network access from MCP servers to prevent SSRF via fetch/crawl tools.

User Protection

  • Enforce strict tenant isolation and derive tenant context server-side rather than trusting agent-supplied parameters.
  • Implement per-object authorization checks for all resource access.

Security Awareness

  • Train developers on the risks of exposing sensitive business logic or infrastructure details in plain-English MCP tool descriptions.
  • Incorporate MCP server security into standard API security testing and threat modeling programs.

MITRE ATT&CK Mapping

  • T1190 - Exploit Public-Facing Application
  • T1592 - Gather Victim Host Information
  • T1499 - Endpoint Denial of Service
  • T1198 - Network Service Discovery

Related