AI Threat Alert
Model Context Protocol (MCP) Security
MCP is rapidly becoming the standard way LLM agents call tools and fetch resources. Its attack surface is wide — and largely undocumented. This page tracks every MCP-related CVE we have analyzed.
What is MCP?
The Model Context Protocol (MCP) is an open standard introduced by Anthropic in late 2024. It lets LLM-powered agents discover and invoke tools (file system, shell, HTTP, databases, third-party APIs) through a uniform client/server interface. By mid-2026 MCP is supported by Claude Desktop, Cursor, LangFlow, n8n, OpenAI Codex CLI, Gemini CLI, LiteLLM, PraisonAI, and dozens of community implementations.
MCP solves real fragmentation problems — but it also massively expands the attack surface of the LLM layer. Every MCP server is, in effect, a piece of remote-callable infrastructure that an agent will trust to execute commands and return data. Most MCP servers in the wild are written quickly, lightly audited, and run with broad privileges.
Common MCP attack patterns (observed in real CVEs)
1. Path traversal via tool arguments
MCP tool inputs (file paths, resource URIs) flow directly into fs.readFile or similar primitives. Without canonicalization, an agent prompt can read or write arbitrary files. Real-world impact: full RCE when the file written is a configuration with code-execution semantics.
2. SSRF via HTTP tools
MCP fetch tools that don't restrict target URLs let attackers reach 169.254.169.254 (cloud metadata), private VPC ranges, or internal services. We see SSRF chained with API key exfiltration in tools like n8n-mcp.
3. Credential leakage via HTTP transport logging
Many MCP servers default to verbose request logging. OAuth tokens, API keys, and session cookies end up in logs that downstream agents can read. Multiple CVEs we track exploit this exact pattern.
4. Owner-context spoofing and authorization bypass
MCP doesn't dictate authorization between client and server. Naive implementations trust the client-asserted identity, which a malicious tool can spoof. Result: privilege escalation across tenants.
5. Prompt-injection driven tool invocation chains
An attacker who controls any content surface the agent reads (web page, email, RAG document) can plant instructions that cause the agent to invoke MCP tools with attacker-controlled arguments — chaining what would otherwise be benign tools into a working exploit.
MCP-related CVEs we are tracking
| CVE | Severity | Headline | Published |
|---|---|---|---|
| CVE-2026-44336 | CRITICAL | PraisonAI: MCP path traversal escalates to full RCE | May 11, 2026 |
| GHSA-9qhq-v63v-fv3j | CRITICAL | PraisonAI: RCE via MCP command injection | Apr 17, 2026 |
| CVE-2026-40933 | CRITICAL | Flowise: RCE via MCP stdio command injection | Apr 16, 2026 |
| CVE-2025-61260 | CRITICAL | OpenAI Codex CLI: RCE via malicious MCP config files | Apr 14, 2026 |
| CVE-2026-27825 | CRITICAL | mcp-atlassian: Path Traversal enables file access | Mar 10, 2026 |
| CVE-2025-59528 | CRITICAL | Flowise: Unauthenticated RCE via MCP config injection | Sep 22, 2025 |
| GHSA-8g7g-hmwm-6rv2 | HIGH | n8n-mcp: path traversal + SSRF exposes n8n API keys | May 8, 2026 |
| CVE-2026-42271 | HIGH | LiteLLM: RCE via MCP test endpoint command injection | May 8, 2026 |
| CVE-2026-42079 | HIGH | PPTAgent: eval injection enables RCE via LLM prompt injection | May 5, 2026 |
| GHSA-r6xh-pqhr-v4xh | HIGH | openclaw: MCP owner-context spoofing, privilege escalation | May 4, 2026 |
| CVE-2026-42449 | HIGH | n8n-mcp: SSRF bypass via IPv6 leaks API keys | Apr 30, 2026 |
| GHSA-v4p8-mg3p-g94g | HIGH | litellm: RCE via MCP test endpoints privilege bypass | Apr 25, 2026 |
| GHSA-cvrr-qhgw-2mm6 | HIGH | Flowise: unauthenticated RCE via FILE-STORAGE bypass | Apr 16, 2026 |
| CVE-2026-30617 | HIGH | LangChain-ChatChat: RCE via unauthenticated MCP interface | Apr 15, 2026 |
| GHSA-p4h8-56qp-hpgv | HIGH | mcp-ssh: argument injection enables LLM-driven local RCE | Apr 14, 2026 |
| GHSA-75hx-xj24-mqrw | HIGH | n8n-mcp: unauthenticated HTTP endpoints enable DoS + recon | Apr 10, 2026 |
| CVE-2026-39974 | HIGH | n8n-MCP: SSRF exposes cloud metadata via MCP headers | Apr 9, 2026 |
| GHSA-4ggg-h7ph-26qr | HIGH | n8n-mcp: authenticated SSRF leaks cloud metadata | Apr 8, 2026 |
| CVE-2026-35394 | HIGH | mobile-mcp: intent injection enables device control via AI agent | Apr 4, 2026 |
| CVE-2026-29872 | HIGH | awesome-llm-apps MCP Agent: cross-session credential theft | Mar 30, 2026 |
| CVE-2026-33989 | HIGH | @mobilenext/mobile-mcp: path traversal via AI agent tool | Mar 27, 2026 |
| CVE-2026-27826 | HIGH | mcp-atlassian: SSRF allows internal network access | Mar 10, 2026 |
| CVE-2026-0621 | HIGH | mcp_typescript_sdk: security flaw enables exploitation | Jan 5, 2026 |
| CVE-2025-66404 | HIGH | mcp-server-kubernetes: Command Injection enables RCE | Dec 3, 2025 |
| CVE-2026-42282 | MEDIUM | n8n-MCP: credential logging exposes OAuth tokens in HTTP mode | May 8, 2026 |
| CVE-2026-43901 | MEDIUM | wireshark-mcp: path traversal enables arbitrary file write via MCP | May 5, 2026 |
| GHSA-7jm2-g593-4qrc | MEDIUM | openclaw: config guard bypass, persistent settings mutation | Apr 25, 2026 |
| GHSA-qrp5-gfw2-gxv4 | MEDIUM | openclaw: tool policy bypass via bundled MCP/LSP tools | Apr 25, 2026 |
| GHSA-mj59-h3q9-ghfh | MEDIUM | openclaw: env var injection via MCP stdio config | Apr 25, 2026 |
| GHSA-wg4g-395p-mqv3 | MEDIUM | n8n-mcp: credential exposure via HTTP transport logging | Apr 25, 2026 |
| CVE-2026-41495 | MEDIUM | n8n-mcp: bearer tokens exposed in HTTP transport logs | Apr 23, 2026 |
| CVE-2026-6599 | MEDIUM | Langflow: MCP config injection via X-Forwarded-For header | Apr 20, 2026 |
| CVE-2026-40159 | MEDIUM | PraisonAI: MCP env inheritance exposes API keys | Apr 10, 2026 |
| CVE-2026-44220 | LOW | ciguard: symlink traversal exposes secrets via MCP agent | May 5, 2026 |
| CVE-2026-44694 | AWAITING NVD | n8n-MCP: SSRF allows internal network access via webhook tools | May 8, 2026 |
| CVE-2026-42235 | AWAITING NVD | n8n: stored XSS via MCP OAuth steals agent sessions | Apr 29, 2026 |
| CVE-2026-42236 | AWAITING NVD | n8n: unauthenticated MCP endpoint causes memory DoS | Apr 29, 2026 |
| CVE-2026-42230 | AWAITING NVD | n8n: MCP OAuth open redirect enables phishing | Apr 29, 2026 |
| CVE-2025-15063 | UNKNOWN | Ollama: Command Injection enables RCE | Jan 23, 2026 |
| CVE-2025-34072 | UNKNOWN | Slack MCP: zero-click exfiltration via link unfurling | Jul 2, 2025 |
| CVE-2018-7577 | UNKNOWN | TensorFlow: Snappy memcpy overlap crash/mem disclosure | Apr 24, 2019 |
How to protect MCP deployments
- Inventory every MCP server in your stack. Treat them like web services, not "just config". Each is a remote code-execution surface for your agents.
- Sandbox the host process. Run MCP servers in containers with read-only filesystems where possible, dropped capabilities, and network policies limiting egress.
- Sanitize every tool argument as untrusted. Canonicalize paths before file access. Validate URLs against an allow-list before HTTP fetches. Reject IPs in private/metadata ranges.
- Disable verbose request logging by default. If logging is needed, redact OAuth bearer tokens, cookies, and Authorization headers at the transport layer.
- Implement explicit authorization. Don't trust the client-asserted owner/tenant. Authenticate the MCP client and check it against an access policy on every invocation.
- Constrain prompt-injection blast radius. Treat any content the agent reads as adversarial. Require human-in-the-loop confirmation for tool invocations that touch sensitive resources.
- Track upstream CVEs. The MCP ecosystem moves fast. Subscribe to our feed to catch new MCP CVEs as they are published.