< ciso
brief />
Tag Banner

All news with #mcp security tag

66 articles

Enforce least-privilege in multi-agent AI chains

🔒 This post describes a reference implementation using Cedar on AWS to prevent silent privilege escalation in multi-agent AI delegation chains. It outlines a three-layer policy model—agent-to-tool, agent-to-agent delegation, and originating user authorization—using verified token claims and HMAC-signed context. The architecture uses an MCP adapter Lambda and a Cedar evaluator Lambda to enforce policies sequentially and halt on the first deny. It includes schema, entity registrations, policy examples, deployment steps, and end-to-end test scenarios demonstrating how the model enforces least privilege.
read more →

Microsoft Warns of Poisoned MCP Tool Risk

🛡️ New Microsoft research shows attackers can hijack AI agents by poisoning a tool's description so the agent quietly exfiltrates company data. The attack leverages MCP tool descriptions—plain text that agents read—to inject hidden instructions, allowing malicious actions without obvious rule violations. Microsoft recommends treating tool descriptions as system prompts, restricting approved tools, enforcing human approval for risky actions, and monitoring agent identities and behavior.
read more →

Gemini Enterprise Agent Platform Remote MCP Server

🔗 The Gemini Enterprise Agent Platform remote MCP server lets external AI agents securely access Google Cloud Agent Platform resources. It acts as a standardized bridge so tools like Antigravity CLI or Claude Code can call models in Model Garden, manage Notebooks, and use shared prompts without leaving the IDE. Enable the API, configure your client, and use provided Toolset Endpoints to start integrating quickly while maintaining governance.
read more →

Securing AI agents as tools shift from read to act

🛡️ This Microsoft Incident Response post examines an attack pattern targeting Model Context Protocol (MCP) tools, where poisoned tool metadata causes agentic AI to perform unauthorized actions. It outlines a playbook for detecting, containing, and preventing these attacks using Microsoft security controls and maps techniques to the OWASP Top 10 for Agentic Applications. The guidance emphasizes treating MCP servers as supply-chain dependencies, reviewing tool descriptions as prompts, and applying least agency controls.
read more →

New VPC-SC Controls to Secure Agentic AI Workloads

🔒 Google Cloud announces new VPC Service Controls features to secure agentic AI deployments by enforcing network-level perimeters and integrating agent identities. These updates let administrators add agent principals and principalSets to ingress/egress rules, apply conditional rules based on MCP attributes like mcp.toolName and mcp.method, and automatically protect the Gemini Enterprise Agent Platform from public internet access. The enhancements are designed to complement IAM and resource policies to prevent exfiltration and tool misuse in production agent fleets.
read more →

High-severity Amazon Q MCP flaw enables cloud theft

🛡️ A high-severity flaw in Amazon Q Developer allowed a malicious repository to spawn MCP servers and execute commands, exposing a developer's cloud credentials. Wiz Research discovered the issue and demonstrated that a single config file (.amazonq/mcp.json) in a cloned repo could trigger AWS credential theft. Amazon patched the vulnerability, tracked as CVE-2026-12957 (CVSS 8.5), and updated Language Servers for AWS and IDE plugins to require explicit consent for untrusted MCP servers.
read more →

AutoJack exploit chains AI agent to local code execution

🔒 Microsoft researchers disclosed AutoJack, an exploit chain that lets an AI browsing agent load a malicious web page which then reaches a privileged local service and spawns processes on the host. The issue resides in AutoGen Studio's MCP WebSocket handler, present only in two pre-release PyPI builds (0.4.3.dev1 and dev2). A vanilla pip install (0.4.2.2) is not affected; fixes are merged to GitHub main but not yet released on PyPI.
read more →

Web-enabled AI agents can enable host-level RCE

🔒 Microsoft demonstrated a new remote code execution path called “AutoJack,” showing how web-enabled AI agents can be hijacked to reach local Model Context Protocol (MCP) services and execute arbitrary processes. The researchers exploited three weaknesses in AutoGen Studio’s MCP WebSocket implementation—origin allowlist inheritance, missing authentication for MCP paths, and unsanitized URL-supplied server parameters that spawn processes. Microsoft reported and mitigated the issue in development builds and warned this pattern could affect other agentic frameworks.
read more →

AutoJack vulnerability in AutoGen Studio patched

🛡️ Ongoing research found an exploit chain in AutoGen Studio that allowed untrusted web content rendered by a browsing agent to reach a local Model Context Protocol (MCP) WebSocket and spawn arbitrary processes on the host. Microsoft’s team reported the issue and maintainers hardened the main branch in commit b047730; the vulnerable MCP WebSocket surface was never included in the PyPI release. The advisory explains the attack chain, remediation steps, and developer guidance to avoid localhost trust-boundary risks.
read more →

Deploy a Remote MCP Server to GKE in 30 Minutes

🔧 This guide explains how to build and deploy a remote Model Context Protocol (MCP) server on Google Kubernetes Engine (GKE) using the Streamable HTTP transport. It covers prerequisites, creating a simple math MCP server with FastMCP, local testing, containerizing the server, and pushing the image to Artifact Registry. Finally, it details deploying to GKE Autopilot and exposing the server securely with the Kubernetes Gateway API and managed SSL.
read more →

Agentjacking: AI coding agents hijacked via Sentry flaw

🛡️ Researchers describe a new "agentjacking" attack that tricks AI coding agents into executing arbitrary code by injecting malicious instructions into Sentry error events. Tenet Security says the flaw leverages Sentry DSNs — public, write-only credentials — to post crafted markdown that appears as legitimate remediation guidance. Agents retrieving unresolved errors via MCP render the injected content as trusted and may execute the embedded commands with developer privileges. The report confirmed high exploitability across popular agents and thousands of exposed DSNs.
read more →

Claude Code MCP configuration enables token theft

🔒 Researchers disclosed an attack chain against Anthropic’s command-line coding assistant, Claude Code, that abuses the Model Context Protocol (MCP). A malicious npm post-install hook can rewrite the local ~/.claude.json configuration to redirect authenticated MCP traffic to attacker infrastructure, allowing interception of stored OAuth bearer tokens. Anthropic has been notified but has not issued a patch; defenders are advised to monitor the configuration file, treat npm post-install hooks as high risk, and rotate OAuth tokens tied to Claude Code integrations.
read more →

Critical RCE in Flowise's Custom MCP Tool Revealed

🛡️ Obsidian Security disclosed a critical RCE in the open-source AI workflow platform Flowise (CVE-2026-40933), enabling server takeover when a logged-in user imports a malicious chatflow. Self-hosted deployments are vulnerable by default; Flowise Cloud is not affected. The flaw stems from the Custom MCP tool launching user-supplied commands via stdio without sandboxing, and Flowise's input-validation patch can be bypassed.
read more →

Flowise MCP flaw enables single-click remote code execution

🔒 Researchers at Obsidian Security disclosed a near-max severity remote code execution flaw in self-hosted Flowise deployments tied to its Model Context Protocol (MCP) stdio server implementation. The issue stems from Flowise allowing attacker-controlled MCP stdio configurations that execute arbitrary OS commands, enabling one-click post-auth RCE via malicious chatflow imports. Flowise Cloud is unaffected, but self-hosted instances should review and potentially disable stdio MCP or apply strict mitigations.
read more →

Linux Foundation proposes DNS-AID for AI agent discovery

🛰️ The Linux Foundation has proposed DNS-AID, a standards-driven extension to the Domain Name System to let AI agents discover, verify, and communicate without new infrastructure. The project leverages a well-known DNS address pattern (for example, _index._agents.{domain}) to provide a global, vendor-neutral directory for agents and MCP servers. Initial work was done by Infoblox, with contributions from Deutsche Telekom and Amazon, and the foundation is soliciting further input to keep the approach scalable and secure.
read more →

LLMjacking Risks: Securing Private AI Servers 2026

🔒 A hands-on April 2026 experiment shows how quickly attackers can target private AI servers: a Raspberry Pi honeypot posed as a high-performance stack (Ollama, LM Studio, AutoGPT, LangServe, text-gen-webui) and claimed a local Qwen3-Coder 30B instance plus RAG/MCP assets. Shodan discovered the server within three hours and, over a month, it logged 113,000+ requests from thousands of IPs with 23% probing AI capabilities. Observed tactics included fingerprinting endpoints like /v1/models and /.well-known/mcp.json and systematic hunts for exposed .env files, highlighting the importance of securing RAG, MCP and private AI deployments from day one.
read more →

Agentic AI: The Next Blindspot for Security Teams and Risk

🔐 Agentic AI is already operating across enterprises, executing tasks and taking actions often without meaningful security involvement. Security teams must develop hands‑on fluency — build and test agents, understand integrations like the Model Context Protocol, and enforce scoped configurations — because policy alone won't close the gap. The piece distinguishes three agent classes (productivity, MCP‑connected vendor agents, and custom user agents) and emphasizes configuration, access scoping, and training such as SANS SEC545 to reduce exposure.
read more →

Securing MCP Infrastructure: Zero-Trust for AI Agents

🔒 Knostic’s internet-wide reconnaissance discovered 1,862 exposed MCP servers, and manual checks of 119 instances showed every sampled server returned internal tool listings without authentication. High-impact flaws like EchoLeak (CVE-2025-32711) and mcp-remote (CVE-2025-6514) illustrate how poisoned documents and command-injection in widely used packages can enable silent data exfiltration or full system compromise. The article prescribes immediate adoption of zero-trust controls: authentication on every interaction, network segmentation, cryptographic signing for tool definitions, continuous integrity monitoring, and human approval for sensitive actions.
read more →

Including MCP in Continuous Threat Exposure Management

🔒 Model Context Protocol (MCP), the emerging plugin layer for agentic AI, has become a significant blind spot for security teams, introducing new shadow-AI risks much like shadow IT. CTEM programs can close this gap by extending scoping, discovery, prioritization, validation and mobilization to cover developer workstations, AI toolchains and MCP server configurations. Practical actions include actively enumerating MCP endpoints, scanning agent configuration and markdown context files for hardcoded API keys, and prioritizing exposures by attacker impact to produce actionable remediation tickets for engineering teams.
read more →

AWS Releases MCP Server for Secure Agent Access and Auditing

🔒 AWS has announced general availability of the AWS MCP Server, a managed endpoint that gives AI coding agents secure, auditable access to AWS services using the Model Context Protocol (MCP). The server is part of the Agent Toolkit for AWS and enforces IAM-based guardrails while emitting CloudWatch metrics and CloudTrail logs so teams keep visibility and control. It supports calling any AWS API through a single tool, sandboxed Python execution for multi-step tasks without filesystem or shell access, and a new agent skills format for on-demand, curated procedures. The service is available at no additional charge; customers pay only for the AWS resources agents consume.
read more →