OWASP MCP Top 10 — First Protocol-Specific AI Agent Risk Framework
AI relevance: The OWASP MCP Top 10 is the first framework dedicated to Model Context Protocol risks, addressing tool poisoning, token mismanagement, and shadow MCP servers that directly impact AI agent deployments.
- 30+ MCP CVEs filed Jan-Feb 2026; CVE-2025-6514 (CVSS 9.6) affected 437k+ downloads
- 78.3% attack success rate when 5 MCP servers connected to single agent (Unit 42)
- 82% path traversal exposure, 34% command injection across 2,614 servers surveyed
- Categories include tool poisoning, token mismanagement, shadow MCP servers, context oversharing
- MCP servers handle files, execute commands, manage credentials—classic web vulns in new packaging
- 81% of orgs lack full visibility into AI use across SDLC (Cycode 2026 report)
- Each MCP server is a new trust boundary outside traditional AppSec controls
- Framework sits alongside OWASP LLM Top 10 and Agentic AI Top 10
Why it matters
MCP has become the default connector between AI agents and enterprise systems, but adoption has outpaced security by a wide margin. One compromised MCP server can hijack agent behavior across an entire pipeline, turning trusted tool integrations into attack vectors. The OWASP MCP Top 10 provides the first protocol-specific risk catalog to help teams identify and mitigate these emerging threats.
What to do
- Inventory all MCP servers in use across your development and production environments
- Treat each MCP server connection as a distinct trust boundary requiring explicit validation
- Apply the OWASP MCP Top 10 checklist to audit tool descriptions, token handling, and access controls
- Deploy MCP gateways to enforce policy, sandbox execution, and monitor tool invocations
- Scan for misconfigurations using the OWASP MCP Scanner (beta)