All news with #mcp security tag

🔗 Google Cloud describes work to enable gRPC as a native transport for the Model Context Protocol (MCP), offering an alternative to JSON-RPC transcoding for organizations that already use gRPC. Native gRPC eliminates the need for transcoding gateways and preserves existing tooling, while delivering lower latency, smaller Protobuf-encoded payloads, and full-duplex streaming. The MCP core maintainers agreed to pluggable transports in the SDK, and Google Cloud will contribute a community-backed gRPC transport package to promote consistent, interoperable deployments.

🔒 This webinar explains why MCPs — the control plane that governs what agentic AI can execute — are a critical but often overlooked security boundary. Drawing on recent incidents such as CVE-2025-6514, the session shows how trusted proxies and misconfigurations can convert automation into a remote code execution vector at scale. Participants will learn to detect shadow API keys, audit agent actions, and apply practical controls to secure agentic AI without slowing development.

🔌 Google Cloud has integrated the Model Context Protocol (MCP) into Antigravity, its new AI-first IDE, enabling LLM-based agents to access enterprise data services directly within the development workflow. The Antigravity MCP Store lets developers install connectors for AlloyDB, BigQuery, Spanner, Cloud SQL, Looker and other Data Cloud products, configuring projects, regions, and credentials through a guided UI. Once connected, agents receive executable tools for schema exploration, query development, optimization, forecasting, catalog search, and semantic validation, while credentials are stored securely and MCP standardizes access across services.

🔒 Model Context Protocol (MCP) is increasingly used to connect AI agents with enterprise data sources, but real-world incidents at SaaS vendors have exposed practical weaknesses. The article describes what MCP security solutions should provide — discovery, runtime protection, strong authentication and comprehensive logging — and surveys offerings from hyperscalers, platform providers and startups. It stresses least-privilege and Zero Trust as core defenses.

🔒 This Unit 42 investigation (published December 5, 2025) analyzes security risks introduced by the Model Context Protocol (MCP) sampling feature in a popular coding copilot. The authors demonstrate three proof-of-concept attacks—resource theft, conversation hijacking, and covert tool invocation—showing how malicious MCP servers can inject hidden prompts and trigger unobserved model completions. The report evaluates detection techniques and recommends layered mitigations, including request sanitization, response filtering, and strict access controls to protect LLM integrations.

🔐 This post from Adrien Delaroche at Google Cloud outlines three architectures for AI agents that interact with blockchains: the agent-controlled custodial model, a self-hosted variant, and the non-custodial transaction-crafter model. It explains security, performance, and malice risks when agents hold private keys and recommends returning unsigned transactions so users sign locally. The author demonstrates a sample implementation using Google ADK, Gemini 2.0 Flash, Cloud Run, and an Ethereum faucet, and urges MCP servers to support both signing and unsigned flows to balance automation with user safety.

⚠️Researchers from CheckPoint disclosed a critical remote code execution vulnerability in OpenAI's Codex CLI that allowed project-local .env files to redirect the CODEX_HOME environment variable and load attacker-controlled MCP servers. By adding a malicious mcp_servers entry in a repo-local .codex/config.toml, an attacker with commit or PR access could cause Codex to execute commands silently whenever a developer runs the tool. OpenAI addressed the issue in Codex CLI v0.23.0 by blocking project-local redirection of CODEX_HOME, but the flaw demonstrates how automated LLM-powered developer tools can expand the attack surface and enable persistent supply-chain backdoors.

🤖 Amazon API Gateway now supports the Model Context Protocol (MCP) via a proxy, enabling organizations to expose existing REST APIs to AI agents and MCP clients without modifying their applications. Integrated with Amazon Bedrock AgentCore's Gateway, the feature performs protocol translation, indexes APIs for semantic tool discovery, and eliminates the need to host additional intermediary infrastructure. It also enforces dual authentication to verify agent identities for inbound requests while managing secure outbound connections to REST endpoints. The capability is available in nine AWS Regions and follows Amazon Bedrock AgentCore pricing.

⚠️ Security firm SquareX disclosed a previously undocumented MCP API inside the AI browser Comet that enables embedded extensions to execute arbitrary commands and launch applications — capabilities mainstream browsers normally block. The API can be triggered covertly from pages such as perplexity.ai, creating an execution channel exploitable via compromised extensions, XSS, MITM, or phishing. SquareX highlights that the analytics and agentic extensions are hidden and cannot be uninstalled, leaving devices exposed by default.

⚠️ Security researchers demonstrated that a rogue Model Context Protocol (MCP) server can inject JavaScript into the built-in browser of Cursor, an AI-powered code editor, replacing pages with attacker-controlled content to harvest credentials. The injected code can run without URL changes and may access session cookies. Because Cursor is a Visual Studio Code fork without the same integrity checks, MCP servers inherit IDE privileges, enabling broader workstation compromise.

🔒 The Model Context Protocol (MCP) enables AI agents to connect to data sources, but early specifications lacked robust protections, leaving deployments exposed to prompt injection, token theft, and tool poisoning. Recent protocol updates — including OAuth, third‑party identity provider support, and an official MCP registry — plus vendor tooling from hyperscalers and startups have improved defenses. Still, authentication remains optional and gaps persist, so organizations should apply zero trust and least‑privilege controls, enforce strong secrets management and logging, and consider specialist MCP security solutions before production rollout.

🔒Anthropic's official Claude Desktop extensions for Chrome, iMessage and Apple Notes were found vulnerable to web-based prompt injection that could enable remote code execution. Koi Security reported unsanitized command injection in the packaged Model Context Protocol (MCP) servers, which run unsandboxed on users' devices with full system permissions. Unlike browser extensions, these connectors can read files, execute commands and access credentials. Anthropic released a fix in v0.1.9, verified by Koi Security on September 19.

🔐 Aembit today announced Aembit Identity and Access Management (IAM) for Agentic AI, introducing Blended Identity and the MCP Identity Gateway to assign cryptographically verified identities and ephemeral credentials to AI agents. The solution extends the Aembit Workload IAM Platform to enforce runtime policies, apply least-privilege access, and maintain centralized audit trails for agent and human actions. Designed for cloud, on‑premises, and SaaS environments, it records every access decision and preserves attribution across autonomous and human-driven workflows.

🔒 The Model Context Protocol (MCP) Proxy for AWS is now generally available, offering a client-side proxy that lets MCP clients connect to remote, AWS-hosted MCP servers using AWS SigV4 authentication. It supports agentic development tools such as Amazon Q Developer CLI, Kiro, Cursor, and agent frameworks like Strands Agents, and interoperates with MCP servers built on Amazon Bedrock AgentCore Gateway or Runtime. The open-source Proxy includes safety controls (read-only mode), configurable retry logic, and logging for troubleshooting, and can be installed from source, via Python package managers, or as a container to integrate with existing MCP-supported tools.

🔐 Cloudflare presents a privacy-first approach to rate-limiting AI agents using anonymous credentials. The post explains how schemes such as ARC and ACT extend the Privacy Pass model by enabling late origin-binding, multi-show tokens, and stateful counters so origins can enforce limits or revoke abusive actors without identifying users. It outlines the cryptographic building blocks—algebraic MACs and zero-knowledge proofs—compares performance against Blind RSA and VOPRF, and demonstrates an MCP-integrated demo showing issuance and redemption flows for agent tooling.

🔒 This ThreatsDay bulletin highlights a series of recent incidents where attackers favored the easiest paths in: tricking users, abusing trusted services, and exploiting stale or misconfigured components. Notable items include a malicious npm package with a post-install backdoor, a CA$176M FINTRAC penalty for missed crypto reporting, session hijacking via MCP (CVE-2025-6515), and OAuth-based persistent backdoors. Practical defenses emphasized are rapid patching, disabling risky install hooks, auditing OAuth apps and advertisers, and hardening agent and deserialization boundaries.

⚠️ Security researchers warn that MCP-based AI workflows are vulnerable to "prompt hijacking" when MCP servers issue predictable or reused session IDs, allowing attackers to inject malicious prompts into active client sessions. JFrog demonstrated the issue in oatpp-mcp (CVE-2025-6515), where guessable session IDs could be harvested and reassigned to craft poisoned responses. Recommended mitigations include generating session IDs with cryptographically secure RNGs (≥128 bits of entropy) and having clients validate unpredictable event IDs.

🛡️ Bruce Schneier and Barath Raghavan argue that agentic AIs run repeated OODA loops—Observe, Orient, Decide, Act—over web-scale, adversarial inputs, and that current architectures lack the integrity controls to handle untrusted observations. They show how prompt injection, dataset poisoning, stateful cache contamination, and tool-call vectors (e.g., MCP) let attackers embed malicious control into ordinary inputs. The essay warns that fixing hallucinations is insufficient: we need architectural integrity—semantic verification, privilege separation, and new trust boundaries—rather than surface patches.

🔒 MCPTotal today launched a comprehensive platform designed to help organizations adopt and secure Model Context Protocol (MCP) servers with centralized hosting, authentication and credential vaulting. Its hub-and-gateway architecture functions as an AI-native firewall to monitor MCP traffic, enforce policies in real time, and provide a vetted catalog of hundreds of secure MCP servers. Employees can safely connect models to business systems like Slack and Gmail while security teams gain visibility, guardrails, auditing and multi-environment coverage to reduce supply chain, prompt-injection, rogue-server and data-exfiltration risks.

🔒 Cybersecurity researchers disclosed a now-patched command injection vulnerability in the figma-developer-mcp Model Context Protocol server that could allow remote code execution. Tracked as CVE-2025-53967 (CVSS 7.5), the flaw stems from unsanitized user input interpolated into shell commands when a fetch fallback uses child_process.exec to run curl. Imperva reported the issue and maintainers released a fix in figma-developer-mcp v0.6.3; users should update immediately.