MCP Security Issues: The Hidden Risks Enterprises Must Address

As enterprises scale AI agent deployments, the infrastructure connecting models to real-world tools is becoming a critical security boundary. The Model Context Protocol (MCP) sits at the center of this shift, enabling structured interactions between agents, data sources, and external systems. While it accelerates integration and orchestration, it also introduces a new layer of risk that many organizations are only beginning to understand.

That gap between adoption speed and security readiness is where MCP security risks live. The context protocol standardizes how AI agents connect to tools and data sources. What it does not do is enforce how those connections are secured. Authentication, access control, and audit logging are not built in. Organizations have to add that layer themselves, and most have not.

This guide covers what MCP security risks actually are, the specific vulnerabilities affecting enterprise deployments right now, why traditional application security tools cannot handle them, and what a properly governed deployment looks like in practice.

Agents Acting on Your Infrastructure Need More Than a Protocol to Stay Safe

TrueFoundry's MCP Gateway adds OAuth identity injection, schema validation, and PII redaction to every agent tool call

Book a Demo

What Are MCP Security Risks?

MCP security risks are vulnerabilities that emerge when AI agents authenticate, authorize, and exchange data through MCP servers without a secondary governance layer. While the protocol defines how messages are formatted and exchanged between clients and servers, it remains silent on security enforcement.

When teams deploy MCP servers without external controls, they create "open doors" in their infrastructure:

• Unverified Requests: Servers that accept instructions without confirming the caller’s identity.
• Unauthorized Tool Calls: Servers that execute actions (like deleting data) without checking if the agent is allowed to do so.
• Invisible Breaches: A lack of audit trails that leaves security teams blind when something goes wrong.

Trend Micro recently found 492 MCP servers exposed to the internet with zero authentication. This pattern reflects a dangerous trend: adopting a protocol for its capability at high speed without a parallel investment in governance.

Misconfigurations compound the problem. As teams spin up more servers across cloud environments, they carry defaults that were fine for local development into production. Unmonitored AI agent behavior does the rest. The structural gap between what the protocol provides and what production deployments require is where malicious actors find their way in.

The Core MCP Security Issues Threatening Enterprises

Model Context Protocol functions purely as a transport layer, not as a built-in security framework. While it standardizes how AI systems connect to external tools and data, it leaves protection entirely to the surrounding infrastructure. 

As a result, when these controls are weak or missing, enterprise deployments tend to expose four recurring security risk categories.

Over-Privileged Server Access

Developers configure MCP servers with broad permissions during prototyping to avoid hitting authorization errors, violating the principle of least privilege. Those permissions rarely get scoped down before production.

For example, an AI agent built to summarize Jira tickets might carry the credentials to delete them, close projects, or modify permissions if the underlying server was configured with admin access and never restricted.

When an attacker or an injected instruction compromises that agent, they inherit the full scope of what the server can do. The blast radius is determined by how over-provisioned the access control was, not by what the agent was actually supposed to do.

Prompt Injection Leading to Unauthorized Actions

Prompt injection in MCP environments is different from basic chatbot manipulation. When an AI agent can execute actions, an injected instruction does not just produce a bad response. It triggers real operations against external systems.

Malicious actors embed instructions inside documents, support tickets, emails, or web pages the agent processes. The Supabase Cursor incident in June 2025, where an AI agent with service-role access processed support tickets containing SQL instructions is a clear example.  It read and leaked integration tokens into a public thread. No network breach. No malware. Just text the agent treated as a command.

The GitHub MCP incident in May 2025 followed the same pattern: indirect prompt injection in public Issues exfiltrated private repository code. 

The OWASP Top 10 for large language models ranks prompt injection as the number one vulnerability for this reason, making it the primary MCP security risk enterprises must address at the infrastructure layer. 

Server-Side Request Forgery (SSRF) and Data Exfiltration

MCP servers sit deep inside corporate networks where they can reach internal databases, file systems, and cloud infrastructure. That positioning is what makes them useful. It is also what makes SSRF dangerous when MCP security controls are absent.

BlueRock Security analyzed over 7,000 MCP servers and found 36.7% were potentially vulnerable to SSRF. In their proof of concept against Microsoft's MarkItDown MCP server, researchers retrieved AWS IAM API keys, secret keys, and SSH keys directly from the EC2 instance metadata endpoint. The server fetched arbitrary URLs without validation.

A compromised AI agent using an SSRF-vulnerable server does not need to breach your perimeter directly. It instructs the server to fetch internal resources and surfaces sensitive data through an outbound response. From there, malicious actors can map internal architecture and find additional entry points.

For a deeper breakdown of tools and mitigation strategies, refer to our guide on best MCP security tools.

Fragmented Credential Sprawl

Without a centralized gateway, every AI agent manages its own credentials. API keys live in environment variables. OAuth tokens get stored in the configuration file. Long-lived static secrets accumulate across servers because rotating them requires tracking down every place they live.

CVE-2025-6514 in mcp-remote, an OAuth proxy with over 558,000 downloads, showed the supply chain dimension of MCP security risks. A malicious MCP server could send a crafted authorization URL that mcp-remote passed directly to the system shell, achieving remote code execution and exposing every credential on that machine.

Many MCP servers store service tokens in plaintext or memory. A single compromised server leaks every token it holds. When credentials are scattered, there is no single place to rotate them and no reliable way to verify if rotation was complete.

The Operational Impact of Agent Vulnerabilities

Security teams that dealt with traditional API call breaches had clear forensic paths. A request came in. It was logged. You could trace what happened. MCP breaks that model.

Indirect prompt injection attacks leave no obvious fingerprint. The AI agent behaved exactly as its logs suggest: it read a document and executed a tool call. The fact that the document contained malicious prompts is invisible to monitoring tools that only watch for anomalous network patterns.

Memory poisoning compounds this. Researchers have documented attacks where malicious code injected into an agent's context over multiple interactions gradually shifts the agent's behavior without any single interaction looking suspicious. The Vulnerable MCP Project, maintained by 32 researchers from SentinelOne, Snyk, Trail of Bits, and CyberArk, now tracks 50 vulnerabilities across the MCP ecosystem, 13 of them critical.

The Cisco State of AI Security 2026 report found that only 29% of organizations feel prepared to secure agentic AI applications. The other 71% are running AI agents they cannot properly monitor, creating significant security risks across their external data sources and file system access connections.

Why Traditional Security Tools Fail

Most enterprises first apply existing security infrastructure to MCP deployments. It does not work, and understanding why matters before choosing what to replace it with.

Legacy API Gateways Lack Semantic Context

Traditional API gateways inspect HTTP traffic. They check headers, enforce rate limiting, and verify transport-layer authentication tokens. They cannot read the contents of a user's input payload to determine whether the instruction it contains is legitimate or injected.

An AI agent task that triggers 20 sequential tool calls, viewed at the network level, looks like 20 authenticated HTTP requests. None of them tripped a rate-limiting threshold. None fail header checks. The gateway sees clean traffic throughout. The indirect prompt injection happened three layers up, inside a document the agent processed.

Writing custom middleware to make legacy gateways AI assistant-aware is a dead end. It requires constant maintenance as agent behavior evolves, producing brittle coverage that malicious actors can find ways around. 

SaaS AI Platforms Introduce Data Egress Risks

Managed AI applications orchestration platforms solve the deployment problem but create a different one. When internal MCP traffic routes through a third-party SaaS layer to apply security controls, your proprietary data, external data, tool requests, and AI agent outputs leave your network perimeter on every interaction.

For healthcare, financial services, or government organizations, that is a compliance violation independent of whether the SaaS vendor is trustworthy. HIPAA does not allow PHI to transit through unapproved third-party infrastructure. GDPR requires demonstrable control over where user data flows. A SaaS routing layer breaks both.

These platforms also tend to lock the features you actually need — robust security controls including RBAC, audit logging, and per-tool access control — behind enterprise pricing tiers. The security posture you can maintain depends on your contract tier. 

Your Security Team Deserves Full Visibility Into Every Agent Tool Call

Get OpenTelemetry-compliant audit trails, tool-level RBAC, and compliance-ready logging

Book a Demo

How TrueFoundry Solves MCP Security Issues?

TrueFoundry's approach to MCP security is to enforce security controls at the infrastructure layer, inside your environment, not routed through someone else's. The MCP gateway deploys entirely within your AWS, GCP, or Azure account. 

Every AI agent request, tool call, and model interaction stays within your network boundary, addressing significant security risks from external systems access and data retrieval without compliance exceptions. 

Governed Gateway Inside Your VPC

All MCP traffic stays inside your perimeter. No discovery requests, tool payloads, or AI agent outputs route through external infrastructure. This eliminates the data access egress risk that comes with SaaS-routed platforms and satisfies data sources residency requirements for regulated industries without exception processes or compensating controls.

Innovaccer processes around 17 million AI inference requests per month across clinical workflows under HIPAA, running entirely inside their AWS GovCloud environment. Every interaction stays within their cloud boundary. Audit evidence is in their own logs, ready for any reviewer who asks. This is what MCP security best practices look like at enterprise scale.

Per-Server RBAC Enforcement

Access control policies are enforced at the tool level before requests reach any model or MCP server, implementing MCP security best practices through the TrueFoundry AI gateway. A customer support AI agent sees CRM lookup tools. It does not see database write operations. A finance agent can query payment records but cannot trigger outbound transfers.

TrueFoundry integrates with Okta, Azure AD, and custom SSO setups. AI agents inherit the exact permissions of the requesting user through OAuth 2.0 On-Behalf-Of flows. No shared service accounts. Every tool call is attributed to a specific human identity, satisfying the confused deputy problem that makes mcp adoption in regulated industries so challenging.

Full Audit Logging Capabilities

Every request is logged with full metadata: user identity, AI agent identity, model, tool, arguments, response, latency, cost, and any applied policy. Logs are structured, retained in your own environment, and exportable in JSON format for integration into Grafana, Splunk, Datadog, or any existing observability pipeline.

Innovaccer uses TrueFoundry's OpenTelemetry output to feed Grafana dashboards in production. When a SOC 2 auditor asks for evidence of access control or a HIPAA review requires proof of sensitive information handling, the answer is in their own logs and can be produced immediately, without relying on a third-party platform for MCP security evidence.

Virtual Server Abstractions

Backend tool implementations sit behind a virtual abstraction layer in the registry, protecting against supply chain MCP security risks. When a tool's underlying service changes, or when a compromised MCP tool instance needs to be swapped out, the change happens at the registry level without touching any AI agent that depends on it.

This also addresses the tool poisoning problem. Tool definitions are version-controlled through the registry. A tool that silently mutates its tool descriptions metadata after installation is detectable because the registry maintains a history of what each tool looked like at registration, closing the MCP security risks introduced by malicious intent in community-sourced MCP components.

The TrueFoundry Agent Gateway extends this protection to multi-agent workflows, enforcing per-agent access control and circuit breakers that halt unintended actions before they cascade across the full MCP ecosystem.

Conclusion: Establish Governance to Mitigate Risk

MCP was built to make AI agents more capable. Security was not part of the original design. That gap is where enterprise risk lives right now, and it is not closing on its own. Between January and February 2026, researchers filed 30 CVEs against MCP infrastructure in 60 days. The protocol grew faster than the security practices around it.

Plugging the gap means adding the controls the protocol does not include: identity verification on every connection, access control at the tool level, centralized credential management, human approval for destructive operations, and structured audit logs retained inside your own environment.

TrueFoundry provides that foundation. Governance is built into the platform, not priced as an add-on. Your data stays in your cloud. Your audit trail is yours. And you can move from a fragmented collection of MCP servers to a governed, auditable control plane without rebuilding your agent architecture from scratch.

Book a demo today to get started.