All news with #mcp security tag

⚠️ Researchers at OX Security warn that a design decision in Anthropic’s reference Model Context Protocol (MCP) STDIO implementation may permit remote code execution (RCE) when client applications start local MCP servers without proper command filtering. The flaw stems from SDKs accepting arbitrary STDIO commands as subprocess arguments, which many adapters and tools inherit. Anthropic and other framework maintainers say this behavior is by design and that application developers must sanitize inputs, but OX found few effective defenses and demonstrated RCE across numerous projects and services.

⚠️ A critical authentication bypass in nginx-ui (CVE-2026-33032) allows unauthenticated attackers to invoke privileged MCP actions via an unprotected /mcp_message endpoint. Exploitation can write, modify, and reload Nginx configuration files, enabling full server takeover from a single request. NGINX issued fixes (starting with 2.3.4, latest secure build 2.3.6) after disclosures; administrators should update and audit exposed instances immediately.

⚠️ Pluto Security has published a full analysis of a critical vulnerability, CVE-2026-33032, in the nginx UI configuration tool that has been actively exploited since March. The flaw, rated CVSS 9.8, is caused by an unauthenticated MCP endpoint (/mcp_message) — dubbed MCPwn — which allows attackers to inject configs and trigger automatic nginx reloads. The vendor recommends applying the 2.3.4 patch released March 15; short-term mitigations include disabling MCP, locking access to trusted IPs, and reviewing logs for suspicious configuration changes.

⚠️ A critical authentication-bypass flaw (CVE-2026-33032) in nginx-ui is being actively exploited to seize control of Nginx services. The issue stems from the MCP integration exposing two endpoints; /mcp_message lacks the AuthRequired() middleware and the default IP whitelist is treated as "allow all," permitting unauthenticated invocation of management tools. Update to v2.3.4 immediately or disable MCP and restrict access as interim mitigations.

🔒 This post explains how AI agents and coding assistants access AWS resources via the Model Context Protocol (MCP) and why deterministic IAM controls are required. It outlines three security principles—assume all granted permissions could be used, enforce role governance, and differentiate AI-driven from human-initiated actions—and maps them to deployment patterns. It contrasts AWS-managed MCP servers (which inject context keys) with self-managed servers (which require session tags), and provides practical IAM policy examples, monitoring guidance, and operational controls.

🔐 Cloudflare outlines how it centralized and secured company-wide use of the Model Context Protocol (MCP) by combining controls from Cloudflare One and its developer platform. The post explains why locally hosted MCP servers posed supply‑chain and administration risks and how Cloudflare moved to governed, remote MCP servers with Access-based authentication, audit logging, and CI/CD templates. It highlights MCP server portals, Code Mode to reduce token costs, and Gateway detection for shadow MCP.

🔔 Cloudflare is launching Agents Week to announce platform work aimed at scaling one-to-one AI agents across the Internet. The post argues that traditional container-based cloud models don't map well to ephemeral, per-user agents and highlights Workers and lightweight isolates as efficient primitives alongside GA container sandboxes and improved browser rendering. It also stresses integrating security, identity, payment, and open standards like MCP to make agents practical and sustainable.

🔒 Google-managed MCP servers provide enterprise-grade, production-ready endpoints that let AI agents securely call Google services such as Maps, BigQuery, GKE, and Cloud Run. They remove infrastructure overhead by handling hosting, scaling, and reliability while integrating with Cloud IAM, VPC-SC, and Model Armor for governance and inline content filtering. Built-in observability via Cloud Audit Logs ensures traceability of tool calls for compliance and troubleshooting.

🔒 Unit 42 examines the security tradeoffs of agentic AI, spotlighting the early 2026 Clawdbot surge and pervasive vulnerabilities such as exposed gateways, plaintext credentials, and overbroad permissions. The piece identifies two primary threat paths: malicious model files and compromised Model Context Protocol (MCP) servers, and explains how compromised agents can act as powerful insider threats. Practical guidance includes scanning and sandboxing models, preferring trusted remote MCPs or auditing local MCP code, enforcing strict least-privilege tool access, implementing prompt-injection guardrails, and maintaining detailed logging and policy reviews.

⚠️ Proofpoint researchers disclosed CursorJack, a technique that abuses Cursor's Model Context Protocol (MCP) deeplinks to embed installation configurations that can lead to local code execution or the installation of remote malicious servers. Exploitation requires a user to click a crafted deeplink and approve an installation prompt; success depends on system configuration and user privileges, and no zero‑click vector was observed. Proofpoint published a proof‑of‑concept, notified Cursor, and recommends verifying MCP sources, tightening permission controls, and improving visibility into installation parameters to mitigate social‑engineering risks.

🔐 The article explains how Model Context Protocol (MCP)-driven AI agents are rapidly moving from chat assistants into enterprise workflows, creating an emergent class of non-human identities that often evade traditional IAM controls. It warns these agents gravitate to low-friction credentials—local accounts, long-lived tokens, and API keys—creating pervasive “identity dark matter.” The piece recommends pairing agents with human sponsors, enforcing dynamic, context-aware access, centralizing visibility and auditability, and applying consistent governance across hybrids to prevent privilege drift and regulatory blind spots.

🔐 AWS introduced standardized IAM context keys for its managed remote Model Context Protocol (MCP) servers so AI agents can operate with existing IAM credentials while enabling distinct governance controls. The two keys — aws:ViaAWSMCPService (boolean) and aws:CalledViaAWSMCP (string) — let you allow or deny MCP-initiated actions and restrict access to specific MCP servers. AWS will also simplify public endpoint authorization so AI calls use standard IAM permissions (no separate MCP actions) and plans to add VPC endpoint support for private-network enforcement and two-stage authorization.

🐛 Socket researchers disclosed an active npm supply-chain campaign dubbed SANDWORM_MODE that leverages typosquatted packages to infiltrate developer machines, CI pipelines, and AI coding assistants. The malicious packages (at least 19 observed) harvest npm and GitHub tokens, environment secrets, and cloud keys, then use stolen credentials to modify repositories and amplify via weaponized GitHub Actions. The campaign also injects a malicious MCP server into AI tool configs to enable prompt-injection exfiltration, includes a dormant polymorphic engine, and implements a configurable 'dead switch' that can wipe home directories.

🔌 Google Cloud now offers managed MCP servers for databases and developer tooling, enabling MCP-compliant AI agents (including Gemini) to access data and infrastructure without deploying additional infrastructure. The expansion adds AlloyDB for PostgreSQL, Spanner, Cloud SQL, Bigtable and Firestore, plus a Developer Knowledge MCP server for IDE documentation access. These servers use IAM-based authentication and Cloud Audit Logs for observability and governance, letting teams scale agentic workloads securely.

🤖 Amazon Web Services today announced that Amazon Aurora DSQL now integrates with Kiro powers and AI agent skills to accelerate database-backed application development. The integration packages the Aurora DSQL Model Context Protocol (MCP) server with development best practices so AI agents can assist with schema design, performance tuning, and routine database operations out of the box. Kiro powers provides a curated registry of MCP servers, steering files, and agent hooks with one-click installation in the Kiro IDE. The Aurora DSQL skill extends the same guidance to other agent ecosystems via a Skills CLI, allowing agents to dynamically load Postgres-compatible SQL patterns, distributed design advice, and IAM authentication guidance.

🛡️Researchers at Straiker's AI Research (STAR) Labs disclosed a SmartLoader campaign that distributes a trojanized Oura Model Context Protocol (MCP) server to deploy the StealC infostealer. Attackers built a deceptive network of fake GitHub accounts and forks, added sham contributors, and submitted the malicious server to the MCP Market to exploit developer trust. The delivered ZIP runs an obfuscated Lua script that drops SmartLoader, which then installs StealC to exfiltrate credentials, browser passwords, and cryptocurrency wallet data. Organizations should inventory MCP servers, verify provenance before installation, and monitor for suspicious egress and persistence.

⚠️ LayerX Security published a report describing a critical zero-click RCE in Anthropic’s Claude Desktop Extensions (DXT) that can let a malicious Google Calendar invite trigger arbitrary local code execution when MCP connectors run with full system privileges. The researchers say DXT runs unsandboxed and can autonomously chain low-risk services to high-risk local executors without user consent. Anthropic says users explicitly grant MCP permissions and must configure the tool carefully, while security experts call the issue architectural and urge stricter deployment controls and sandboxing.

⚠️LayerX disclosed a critical zero-click vulnerability affecting 50 Claude Desktop Extensions (DXT) that can result in remote code execution from a single crafted Google Calendar event. The flaw is possible because DXTs operate as unsandboxed MCP servers with full host privileges, allowing them to read files, run system commands and access credentials. LayerX rated the issue CVSS 10.0 and warned it could affect over 10,000 active users. Anthropic has declined to remediate, saying the scenario falls outside its current threat model.

⚠️ Noma Labs disclosed a critical vulnerability, dubbed DockerDash, in Docker's Ask Gordon AI assistant that allows unverified image metadata to be treated as executable instructions. The flaw exploits a trust failure in the Model Context Protocol (MCP) gateway: Ask Gordon reads Docker LABEL metadata, forwards the interpreted content to MCP, and MCP tools execute it without validation. Depending on deployment this can enable remote code execution (cloud/CLI) or large-scale data exfiltration and reconnaissance in Docker Desktop. Docker issued mitigations in Docker Desktop 4.50.0 and users are urged to upgrade.

🔓 Researchers at Israel-based Cyata disclosed three vulnerabilities in Anthropic's official mcp-server-git that enable prompt-injection attacks to influence MCP tool calls and perform unapproved actions. The flaws affect versions prior to 2025.12.18 and are tracked as CVE-2025-68143, CVE-2025-68144, and CVE-2025-68145; together they allow arbitrary git flags, path tampering, file overwrite/deletion, and abuse of git smudge/clean filters to execute code. Cyata and interviewed experts urge an immediate update to the patched release and recommend auditing MCP deployments, restricting Git + Filesystem combinations, applying least-privilege, sanitizing inputs, and adding logging and retrospection for agent actions.