UVCyber MCP Threat Advisory: 40+ CVEs, Tool Poisoning, and the Missing Auth Layer
AI relevance: The Model Context Protocol is the standard interface for enterprise AI agents to access databases, APIs, and cloud services — but it ships without built-in authentication or authorization, creating a structural attack surface across hundreds of thousands of servers.
UltraViolet Cyber published a comprehensive MCP Threat Advisory on May 27, 2026, mapping the full attack surface of the Model Context Protocol. Key findings:
- 40+ CVEs against MCP implementations in Python, TypeScript, Java, and Rust SDKs between January and April 2026 — including both reference servers and third-party tools.
- Microsoft patched a high-severity MCP flaw in its March 2026 security release that allowed attackers to manipulate how AI assistants interact with connected services.
- April 2026 advisory identified 10 additional high/critical CVEs, with an estimated 200,000 vulnerable servers exposed globally.
- The MCP specification has no built-in authentication or authorization — every server inherits whatever permissions it's granted, and every agent request flows without verification unless controls are added externally.
Three MCP-specific attack techniques
- Tool poisoning: A malicious MCP server presents tools that appear normal, but responses contain hidden instructions injected into the LLM's context window. Demonstrated attacks silently exfiltrate entire chat histories including credentials and intellectual property.
- Rug pulls: A tool's description or behavior is silently altered after user approval, turning a previously benign tool potentially malicious without triggering a new approval flow.
- Tool shadowing: Exploits the trust gap between initial tool approval and runtime behavior to hijack agent actions or establish covert command-and-control channels.
Why it matters
MCP now underpins the productivity workflows of a significant majority of Fortune 500 companies, yet adoption has far outpaced security maturity. The volume and severity of disclosed vulnerabilities confirm that MCP infrastructure is being actively scrutinized by both researchers and adversaries, and many production deployments remain unpatched or misconfigured.
What to do
- Full inventory of all MCP servers — classify as local or remote, remove or isolate any unvetted or unused instances.
- Implement tool description fingerprinting at the proxy layer — detect and block any changes to tool definitions after initial registration.
- Disable auto-approval of tool invocations in all production deployments and enforce OAuth 2.1 authentication, least-privilege scoping, and structured audit logging on every MCP server connection.
- Establish a formal MCP governance program aligned to the OWASP MCP Top 10 framework — version pinning, signed tool definitions, continuous dependency monitoring, and quarterly red-team exercises targeting agentic AI workflows.