Lufsec — Model Context Protocol: 4 Trust Boundaries Attackers Are Exploiting

AI relevance: MCP is the dominant protocol for connecting AI agents to external tools and APIs — misconfigured trust boundaries here directly enable agent manipulation, tool poisoning, and unauthorized system access.

Key Findings

• Luciano Ferrari at Lufsec maps four MCP trust boundaries that teams consistently misconfigure in production agentic deployments.
• Permission boundary: Agents inherit broad human-operator credentials instead of narrowly scoped, task-specific permissions. Unlike humans, agents apply instructions at machine speed — a manipulated agent with broad access has an immediate, large blast radius.
• Tool trust boundary: Teams assume they trust the model, but they also implicitly trust every MCP server configuration, tool description, skill definition, and external dependency. A compromised or poisoned tool description can redirect agent behavior while appearing legitimate.
• Input boundary: Prompt injection now hides inside PR titles, issue descriptions, configuration files, tool outputs, and any content an agent reads and acts on — no longer confined to chat interfaces.
• Observability boundary: Without protocol-level visibility into agent-tool communications, malicious logic hidden within AI commands remains invisible to EDR and perimeter firewalls, which cannot determine command intent.
• The analysis references supporting work from AWS Security (deterministic access patterns for AI agents), OX Security (systemic MCP supply-chain vulnerabilities), and Cisco (IDE agent security scanning).

Why It Matters

MCP adoption is accelerating across Claude Code, Cursor, and custom agent frameworks. The protocol's flexibility is also its weakness — without explicit trust boundary design, each connected tool becomes a potential pivot point for attackers. The recent wave of MCP-related CVEs (CVE-2025-49596, CVE-2026-22252, CVE-2026-22688) confirms this risk is already being exploited.

What to Do

• Scope MCP server permissions per-task using temporary, narrow credentials — never share human admin credentials with agents.
• Treat tool metadata (descriptions, names, configurations) as executable influence, not harmless glue code.
• Implement allowlists for which MCP servers an agent can connect to, and verify server identity at startup.
• Deploy protocol-level monitoring for agent-tool traffic that traditional security tools cannot inspect.

Sources

• Lufsec — MCP Security: 4 Trust Boundaries to Fix
• AWS Security — Secure AI Agent Access Patterns Using MCP
• OX Security — The Mother of All AI Supply Chains
• Cisco — AI Agent Security Scanner for IDEs