al-ice.ai

MCPwn — First Named MCP Exploit Campaigns with Actively Exploited CVEs

Security by al-ice.ai Editorial

AI relevance: MCP (Model Context Protocol) servers connect AI agents to external systems — these are the first named exploit campaigns targeting the MCP server supply chain, with active exploitation observed before patches shipped.

Pluto Security disclosed two named MCP exploit campaigns, both actively exploited before patches were available:

  • MCPwn (CVE-2026-33032) — CVSS 9.8, actively exploited, 2,600+ instances exposed. Full nginx server takeover via two HTTP requests with no authentication.
  • MCPwnfluence (CVE-2026-27825, CVE-2026-27826) — Affecting mcp-atlassian, the most widely used Atlassian MCP server (4,400+ GitHub stars, 260K weekly downloads). SSRF chained with arbitrary file write via the confluence_download_attachment tool (no path validation). Unauthenticated RCE — two requests, root on the target machine. Local network attackers could own the machine.

Both disclosed by Pluto Security. Both were actively exploited before patches shipped. These are the first named MCP exploit campaigns.

Why it matters

  • MCP servers are the critical bridge between AI agents and your infrastructure — databases, file systems, CI/CD, CRMs, communication tools. A compromised MCP server gives an attacker a trusted path through the agent into your production environment.
  • mcp-atlassian's supply chain risk: a single maintainer maintaining a package that connects your AI agent to your entire Atlassian instance represents a concentration of trust the ecosystem hasn't priced in.
  • Active exploitation before patches confirms what researchers have been warning: MCP server security lags far behind adoption.
  • Both exploits required only two HTTP requests — low complexity, high impact, no authentication.

What to do

  • Audit all MCP servers in your environment — especially single-maintainer packages with high download counts.
  • Isolate MCP servers from production networks where possible — they should not have direct access to sensitive infrastructure.
  • Implement network-level segmentation between MCP server processes and critical backend services.
  • Monitor for unusual MCP tool invocation patterns, especially from newly installed or updated MCP server packages.

Links