DSN 2026 — First Cross-Entity Security Study of the MCP Ecosystem
AI relevance: MCP is the dominant standard for connecting LLM agents to external tools — any systemic vulnerability in its host/server/registry chain directly impacts every agent deployment that relies on tool use.
Key Findings
- 67,057 MCP servers analyzed across six public registries, making this the largest empirical study of the MCP ecosystem to date.
- Two-stage attack surface identified: (1) registry-level weaknesses allow adversarial or hijacked servers to enter hosts; (2) post-integration, attacker-controlled tool metadata shapes LLM reasoning and triggers unintended operations — without any code-level exploit.
- Weak vetting at registries: no ownership verification, inconsistent server identity information, and informal naming practices enable easy impersonation of legitimate tools.
- Tool metadata manipulation: tool descriptions are treated as trusted text by hosts — no independent verification of LLM tool selections means a poisoned description can redirect agent behavior.
- Identical tool names across different servers create ambiguity that hosts resolve inconsistently, enabling tool confusion attacks.
- MCPInspect — the researchers' pre-integration analysis tool — detected 833 vulnerable servers and 18 with suspicious descriptions among the scanned registries.
- Direct invocation risks arise from tool metadata alone, without requiring code execution vulnerabilities. Exploitable code issues (e.g., injection) merely amplify the damage.
Why It Matters
This is the first study to trace the full risk chain from registry to host execution. Previous MCP security research focused narrowly on malicious servers; this work shows that even honest-but-flawed hosts create exploitable gaps through missing verification of LLM outputs and tool selection. If you run any agent that discovers and connects to MCP servers from public registries, the registry-to-host pipeline is an unverified trust boundary.
What to Do
- Pre-integration scanning: Run MCPInspect or equivalent static analysis on MCP servers before connecting them to production agents.
- Restrict registry sources: Pin MCP servers to vetted, private registries rather than discovering from open directories.
- Add tool verification: Implement host-side guards that validate LLM tool selections against a whitelist of expected tools per server.
- Namespace tool names: Use server-prefixed tool names to eliminate ambiguity from identical names across servers.