MCP Security: The Current Situation

Agentic AI is shifting from simple chat bots to autonomous systems that orchestrate code repositories, CI/CD pipelines, and cloud services. The Model Context Protocol was created to provide a uniform client‑server interface for these interactions, promising portability and scalability. However, as LLMs gain the ability to act on behalf of users, the protocol’s trust model becomes a critical attack surface, demanding rigorous security controls beyond basic functional testing.

The recent MCP incidents illustrate how design oversights can be weaponized. GitHub’s prompt‑injection flaw leveraged a malicious issue to trick an AI assistant into pulling private data into a public pull request, highlighting the danger of trusting unfiltered external content. Anthropic’s Filesystem server suffered path‑validation and symlink bypass bugs (CVE‑2025‑53109, CVE‑2025‑53110) that broke sandbox confinement, allowing attackers to read, write, and execute arbitrary files. Moreover, a survey of public MCP deployments uncovered widespread “NeighborJack” exposures, where servers bound to 0.0.0.0 offered unauthenticated command execution to any device on the local network. These patterns reveal a systemic lack of least‑privilege enforcement and inadequate input sanitization.

Enterprises must adopt a defense‑in‑depth strategy for MCP. Immediate steps include binding services to loopback interfaces, enforcing strong authentication, and applying granular permission scopes for each tool. Robust path validation, sandbox hardening, and runtime security guardrails can prevent privilege‑escalation paths. Continuous monitoring, automated threat‑model testing, and network segmentation further reduce risk. Red Hat’s security‑focused offerings—such as OpenShift compliance modules and SELinux policies—provide the tooling needed to secure MCP deployments at scale, ensuring that the benefits of agentic AI are realized without compromising corporate data.