STDIO Command Injection
STDIO transport passes arguments directly to shell commands. A malicious tool parameter can escape the JSON-RPC envelope and execute arbitrary commands on the host.
CVE-2025-6514 CVSS 9.6The RegisterYour MCP Server Is Only as
Secure as What the Spec Leaves Out
The protocol connects AI agents to external tools. The auth layer is solid.
Everything after authentication is yours to build, monitor, and defend.
50Catalogued vulnerabilities across the MCP ecosystem
200K+Servers affected by STDIO command injection alone
36.8%Of community skills contain at least one security flaw
Last updated: April 2026Reviewed and updated quarterly
Share this infographic
In Spec vs Left to You
The MCP spec mandates strong authentication. Everything after identity verification falls to the implementer.
Security Control
Coverage
Level
OAuth 2.1 + PKCE
Yes
MUST (when auth is used)
RFC 8707 Resource Indicators
Yes
MUST (since March 2026)
HTTPS for auth endpoints
Yes
MUST
Token audience validation
Yes
MUST
Token passthrough prohibition
Yes
MUST
SSRF mitigation (private IP blocking)
Yes
SHOULD
Secure session IDs
Yes
MUST
Pre-execution consent for local servers
Yes
MUST
Sandboxing / containers
Guidance only
SHOULD
RBAC / per-tool permissions
Left to you
Implementer
Rate limiting
Left to you
Implementer
mTLS
Left to you
Implementer
Input sanitisation for tool params
Left to you
Implementer
Cryptographic message integrity
Left to you
Implementer
Supply chain verification / code signing
Left to you
Implementer
Audit logging beyond protocol logging
Left to you
Implementer
Breaches Already Documented
Four confirmed production incidents affecting real organisations, from data contamination to private repository exfiltration.
- May 2025Asana1,000+ enterprise customers
Cross-organisation data contamination through the Asana MCP integration. Agent queries returned data from organisations the caller had zero access to.
Source: AuthZed - June 2025WordPress AI Engine100,000+ sites
Privilege escalation through the MCP interface. Authenticated users with subscriber-level access could escalate to administrator privileges.
Source: AuthZed - 2025SupabasePrivate database tables exposed
Prompt injection via support tickets. When the Supabase agent processed the ticket, it followed embedded instructions and returned private table schemas.
Source: AuthZed - 2025GitHub MCPPrivate repository data leaked
A malicious public issue containing prompt injection payload hijacked a developer's MCP-connected assistant, exfiltrating contents from private repositories.
Source: AuthZed
How MCP Servers Get Compromised
Four documented attack patterns, from command injection to zero-click remote code execution.
Tool Poisoning
Malicious instructions embedded inside tool descriptions. LLMs read these descriptions to decide how to use tools, executing unauthorised actions. A two-stage variant plants persistence first, then exfiltrates SSH keys.
COSAIPrompt Injection via Sampling
Exploits bidirectional sampling where MCP servers can request the client's LLM to generate completions. An attacker-controlled server crafts prompts with hidden instructions.
Palo Alto Unit 42Zero-Click RCE via Documents
Prompt payloads injected into shared documents (Google Docs, Notion pages). When an MCP server reads the document, embedded instructions auto-execute through the agent.
CVE-2026-23744 CVSS 9.8Red HatThe Snyk ToxicSkills Report
Your MCP server is someone else's dependency. The skills ecosystem carries measurable risk.
Community Skills: Contamination Rates
36.8%
Of community skills have at least one security flaw
Snyk13.4%
Have critical-level security issues
Snyk76
Confirmed malicious payloads in the wild
Snyk ToxicSkillsBefore Installing Any Skill
- Read the full SKILL.md before installing
- Check the author and repository reputation (stars, forks, recent activity)
- Search for obfuscated code, encoded strings, or suspicious fetch/eval calls
- Verify the skill requests only the permissions it actually needs
- Test in an isolated environment before running against production code
- Pin skill versions to prevent supply chain attacks via auto-updates
- Report suspicious skills to the platform and the community
Download the Playbook
Get the MCP Security Practitioner Playbook as a portable PDF. Share it with your team or attach it to a security review.
One email per week. Unsubscribe any time. Privacy Policy
Vercel to Axiom to Email
Three layers, zero cost. From tool call to inbox alert in under two minutes.
Structured Logging
Every tool call writes a log line with tool name, caller IP, user-agent, and duration. Every rate limit hit writes a warning with a distinct prefix.
Captures: tool, ip, ua, duration, alert typeVercel Log Drain
All function logs flow automatically from Vercel to the vercel dataset in Axiom. One-click integration, zero configuration.
Captures: host, path, method, status, region, deployment IDAxiom Monitor
A MatchEvent monitor checks every minute for any log matching [mcp-alert] and sends an email to the team.
Captures: pattern match, alert routing, under 2 min to inboxTotal cost: zero
The Rate Limiter Test
55 rapid requests. 50 pass. 5 blocked. The limit resets after 60 seconds.
Green: 200 OK Red: 429 Too Many Requests
$ for i in $(seq 1 55); do curl -s -o /dev/null -w "%{http_code} " -X POST /api/mcp ...; done
Seven Steps to a Hardened MCP Server
Stop at step 4 for meaningful protection. Complete all seven for production-grade security.
Rate limit your endpoint
This afternoonSliding-window rate limiter: 50 calls/min per IP, 200 global. Return 429 with Retry-After headers.
Add alerting
Same dayLog a distinct prefix like [mcp-alert] on every violation. Route to Slack webhook or Axiom.
Strip sensitive fields
15 minutesAudit every tool response for fields that bypass your business model. Remove download URLs.
Add caller identity to logs
30 minutesInclude IP, user-agent, tool name, and duration on every tool call log.
Input validation
1 to 2 hoursValidate slug formats, cap string lengths, reject unexpected parameters.
OTel instrumentation
Half dayAdd OpenTelemetry spans with custom attributes. Send to Grafana Cloud, Axiom, or Datadog.
API keys for heavy consumers
Larger scopeFree API key tier for per-consumer tracking, revocation, and future monetisation.
MCP Gateway Landscape
Proxy layers that add audit trails, rate limiting, and policy enforcement without modifying server code.
Gateway
Audit Trail
Rate Limiting
Dashboard
SOC 2
MintMCP
SOC 2 Type II compliant
Gateway policies
Real-time dashboards
Yes
MCP Manager
Fully traceable logs
Runtime guardrails
Custom alerts
Unconfirmed
MXCP (RAW Labs)
Who / what / when / allowed
Policy denial tracking
Web + REST + CLI
Unconfirmed
Peta (Agent Vault)
Per-agent, per-tool
Human-in-the-loop
Peta Console
Unconfirmed
Azure MCP
Azure Monitor integration
Azure-native
Azure dashboards
Azure compliance
Connect Your Agent to Our MCP Server
Fifteen read-only tools across six groups. All security controls from this infographic are running.
Group
Tools
Description
MCP Directories
search_directories, get_directory, compare_directories
Search, retrieve, and compare MCP server directories with editorial scores
Agent Frameworks
search_frameworks, get_framework
Query agent frameworks by language, MCP support, or hosting model
AI Coding Assistants
search_coding_assistants, get_coding_assistant
Search assistants by IDE support, MCP support, pricing, or editorial score
Skill Sources
search_skills, get_skill_source
Browse SKILL.md sources by platform or domain
Decision Engine
choose_tool, assess_current_stack, evaluate_switch, recommend_path
Recommendations on workflow automation platforms with scored reasoning
Site Tools
list_tools, list_assets, get_audit
Browse interactive tools, downloadable infographics, and self-serve audits
Infographic SourcesShow referencesHide references
We reviewed the sources below to support the statistics, breach data, and frameworks referenced in this infographic.
Supply chain statistics: 36.8% vulnerability rate, 13.4% critical, 76 malicious payloads
50 catalogued vulnerabilities, 13 critical severity across the MCP ecosystem
Capability attestation recommendations, tool poisoning attack vectors
OAuth 2.1 + PKCE requirements, token binding, session security
SSRF mitigation, sandboxing recommendations, consent requirements
Bidirectional sampling exploitation, prompt injection via MCP servers
Asana, WordPress, Supabase, GitHub MCP breach documentation
RFC 8707 mandatory since March 2026, OAuth 2.1 implementation details
Zero-click RCE via document MCPs, sandboxing recommendations
200,000+ servers affected, Anthropic declined to patch
72% engineering team adoption rate for autonomous coding agents
Context engineering framework and agent configuration best practices
Stay Ahead of the Threat Surface
One email per week. MCP security, agent skills, and automation strategy.
Share this infographic
Download the Playbook
Get the MCP Security Practitioner Playbook as a portable PDF. Share it with your team or attach it to a security review.
One email per week. Unsubscribe any time. Privacy Policy