All news with #mcp security tag

🛡️ Obsidian Security disclosed a critical RCE in the open-source AI workflow platform Flowise (CVE-2026-40933), enabling server takeover when a logged-in user imports a malicious chatflow. Self-hosted deployments are vulnerable by default; Flowise Cloud is not affected. The flaw stems from the Custom MCP tool launching user-supplied commands via stdio without sandboxing, and Flowise's input-validation patch can be bypassed.

🔒 Researchers at Obsidian Security disclosed a near-max severity remote code execution flaw in self-hosted Flowise deployments tied to its Model Context Protocol (MCP) stdio server implementation. The issue stems from Flowise allowing attacker-controlled MCP stdio configurations that execute arbitrary OS commands, enabling one-click post-auth RCE via malicious chatflow imports. Flowise Cloud is unaffected, but self-hosted instances should review and potentially disable stdio MCP or apply strict mitigations.

🛰️ The Linux Foundation has proposed DNS-AID, a standards-driven extension to the Domain Name System to let AI agents discover, verify, and communicate without new infrastructure. The project leverages a well-known DNS address pattern (for example, _index._agents.{domain}) to provide a global, vendor-neutral directory for agents and MCP servers. Initial work was done by Infoblox, with contributions from Deutsche Telekom and Amazon, and the foundation is soliciting further input to keep the approach scalable and secure.

🔒 A hands-on April 2026 experiment shows how quickly attackers can target private AI servers: a Raspberry Pi honeypot posed as a high-performance stack (Ollama, LM Studio, AutoGPT, LangServe, text-gen-webui) and claimed a local Qwen3-Coder 30B instance plus RAG/MCP assets. Shodan discovered the server within three hours and, over a month, it logged 113,000+ requests from thousands of IPs with 23% probing AI capabilities. Observed tactics included fingerprinting endpoints like /v1/models and /.well-known/mcp.json and systematic hunts for exposed .env files, highlighting the importance of securing RAG, MCP and private AI deployments from day one.

🔐 Agentic AI is already operating across enterprises, executing tasks and taking actions often without meaningful security involvement. Security teams must develop hands‑on fluency — build and test agents, understand integrations like the Model Context Protocol, and enforce scoped configurations — because policy alone won't close the gap. The piece distinguishes three agent classes (productivity, MCP‑connected vendor agents, and custom user agents) and emphasizes configuration, access scoping, and training such as SANS SEC545 to reduce exposure.

🔒 Knostic’s internet-wide reconnaissance discovered 1,862 exposed MCP servers, and manual checks of 119 instances showed every sampled server returned internal tool listings without authentication. High-impact flaws like EchoLeak (CVE-2025-32711) and mcp-remote (CVE-2025-6514) illustrate how poisoned documents and command-injection in widely used packages can enable silent data exfiltration or full system compromise. The article prescribes immediate adoption of zero-trust controls: authentication on every interaction, network segmentation, cryptographic signing for tool definitions, continuous integrity monitoring, and human approval for sensitive actions.

🔒 Model Context Protocol (MCP), the emerging plugin layer for agentic AI, has become a significant blind spot for security teams, introducing new shadow-AI risks much like shadow IT. CTEM programs can close this gap by extending scoping, discovery, prioritization, validation and mobilization to cover developer workstations, AI toolchains and MCP server configurations. Practical actions include actively enumerating MCP endpoints, scanning agent configuration and markdown context files for hardcoded API keys, and prioritizing exposures by attacker impact to produce actionable remediation tickets for engineering teams.

🔒 AWS has announced general availability of the AWS MCP Server, a managed endpoint that gives AI coding agents secure, auditable access to AWS services using the Model Context Protocol (MCP). The server is part of the Agent Toolkit for AWS and enforces IAM-based guardrails while emitting CloudWatch metrics and CloudTrail logs so teams keep visibility and control. It supports calling any AWS API through a single tool, sandboxed Python execution for multi-step tasks without filesystem or shell access, and a new agent skills format for on-demand, curated procedures. The service is available at no additional charge; customers pay only for the AWS resources agents consume.

⚠️ OX Security disclosed a systemic "by design" vulnerability in Anthropic's Model Context Protocol (MCP) SDK that permits remote command execution across reference implementations (Python, TypeScript, Java, Rust). Unsafe defaults in MCP's STDIO configuration produced 10 vulnerabilities affecting projects such as LiteLLM, LangChain, and Flowise, impacting over 7,000 public servers and 150 million downloads. Several downstream vendors have issued patches, but Anthropic has declined to change the protocol reference implementation, leaving an ongoing AI supply-chain risk.

⚠️ Researchers at OX Security warn that a design decision in Anthropic’s reference Model Context Protocol (MCP) STDIO implementation may permit remote code execution (RCE) when client applications start local MCP servers without proper command filtering. The flaw stems from SDKs accepting arbitrary STDIO commands as subprocess arguments, which many adapters and tools inherit. Anthropic and other framework maintainers say this behavior is by design and that application developers must sanitize inputs, but OX found few effective defenses and demonstrated RCE across numerous projects and services.

⚠️ A critical authentication bypass in nginx-ui (CVE-2026-33032) allows unauthenticated attackers to invoke privileged MCP actions via an unprotected /mcp_message endpoint. Exploitation can write, modify, and reload Nginx configuration files, enabling full server takeover from a single request. NGINX issued fixes (starting with 2.3.4, latest secure build 2.3.6) after disclosures; administrators should update and audit exposed instances immediately.

⚠️ Pluto Security has published a full analysis of a critical vulnerability, CVE-2026-33032, in the nginx UI configuration tool that has been actively exploited since March. The flaw, rated CVSS 9.8, is caused by an unauthenticated MCP endpoint (/mcp_message) — dubbed MCPwn — which allows attackers to inject configs and trigger automatic nginx reloads. The vendor recommends applying the 2.3.4 patch released March 15; short-term mitigations include disabling MCP, locking access to trusted IPs, and reviewing logs for suspicious configuration changes.

⚠️ A critical authentication-bypass flaw (CVE-2026-33032) in nginx-ui is being actively exploited to seize control of Nginx services. The issue stems from the MCP integration exposing two endpoints; /mcp_message lacks the AuthRequired() middleware and the default IP whitelist is treated as "allow all," permitting unauthenticated invocation of management tools. Update to v2.3.4 immediately or disable MCP and restrict access as interim mitigations.

🔒 This post explains how AI agents and coding assistants access AWS resources via the Model Context Protocol (MCP) and why deterministic IAM controls are required. It outlines three security principles—assume all granted permissions could be used, enforce role governance, and differentiate AI-driven from human-initiated actions—and maps them to deployment patterns. It contrasts AWS-managed MCP servers (which inject context keys) with self-managed servers (which require session tags), and provides practical IAM policy examples, monitoring guidance, and operational controls.

🔐 Cloudflare outlines how it centralized and secured company-wide use of the Model Context Protocol (MCP) by combining controls from Cloudflare One and its developer platform. The post explains why locally hosted MCP servers posed supply‑chain and administration risks and how Cloudflare moved to governed, remote MCP servers with Access-based authentication, audit logging, and CI/CD templates. It highlights MCP server portals, Code Mode to reduce token costs, and Gateway detection for shadow MCP.

🔔 Cloudflare is launching Agents Week to announce platform work aimed at scaling one-to-one AI agents across the Internet. The post argues that traditional container-based cloud models don't map well to ephemeral, per-user agents and highlights Workers and lightweight isolates as efficient primitives alongside GA container sandboxes and improved browser rendering. It also stresses integrating security, identity, payment, and open standards like MCP to make agents practical and sustainable.

🔒 Google-managed MCP servers provide enterprise-grade, production-ready endpoints that let AI agents securely call Google services such as Maps, BigQuery, GKE, and Cloud Run. They remove infrastructure overhead by handling hosting, scaling, and reliability while integrating with Cloud IAM, VPC-SC, and Model Armor for governance and inline content filtering. Built-in observability via Cloud Audit Logs ensures traceability of tool calls for compliance and troubleshooting.

🔒 Unit 42 examines the security tradeoffs of agentic AI, spotlighting the early 2026 Clawdbot surge and pervasive vulnerabilities such as exposed gateways, plaintext credentials, and overbroad permissions. The piece identifies two primary threat paths: malicious model files and compromised Model Context Protocol (MCP) servers, and explains how compromised agents can act as powerful insider threats. Practical guidance includes scanning and sandboxing models, preferring trusted remote MCPs or auditing local MCP code, enforcing strict least-privilege tool access, implementing prompt-injection guardrails, and maintaining detailed logging and policy reviews.

⚠️ Proofpoint researchers disclosed CursorJack, a technique that abuses Cursor's Model Context Protocol (MCP) deeplinks to embed installation configurations that can lead to local code execution or the installation of remote malicious servers. Exploitation requires a user to click a crafted deeplink and approve an installation prompt; success depends on system configuration and user privileges, and no zero‑click vector was observed. Proofpoint published a proof‑of‑concept, notified Cursor, and recommends verifying MCP sources, tightening permission controls, and improving visibility into installation parameters to mitigate social‑engineering risks.

🔐 The article explains how Model Context Protocol (MCP)-driven AI agents are rapidly moving from chat assistants into enterprise workflows, creating an emergent class of non-human identities that often evade traditional IAM controls. It warns these agents gravitate to low-friction credentials—local accounts, long-lived tokens, and API keys—creating pervasive “identity dark matter.” The piece recommends pairing agents with human sponsors, enforcing dynamic, context-aware access, centralizing visibility and auditability, and applying consistent governance across hybrids to prevent privilege drift and regulatory blind spots.