What is the OWASP Top 10 for MCP (Model Context Protocol)?

The OWASP MCP Top 10 is an official OWASP project (version v0.1 / 2025 IDs, in Beta — Phase 3 Pilot Testing) cataloging the ten most critical security risks specific to deployments of the Model Context Protocol (MCP) — the open standard agents and LLMs use to call external tools, data sources, and services. The risks span secret and token mismanagement, scope creep, tool poisoning, supply-chain tampering, command and prompt injection, weak auth, missing audit, shadow servers, and context over-sharing.

Where MCP sits in the agentic stack

• MCP is the tool/protocol layer — the wire format and server contract that an agent uses to discover and invoke tools, read resources, and reach external systems. It sits beneath the agent-skill layer: skills (named behavior packages) decide *what* an agent does; MCP servers are *how* the agent actually touches the outside world.
• Because MCP is where natural-language intent becomes real-world action (a shell command, an API call, a database write), it is the concrete realization of OWASP LLM06:2025 Excessive Agency. Several MCP risks below are the agentic tool-misuse threats — manipulating an agent into invoking its legitimately-authorized tools in unintended, destructive ways — made specific to the protocol surface.
• Many items also map to the OWASP Agentic AI taxonomy: MCP06 prompt injection plus autonomous multi-step tool use amplifies into Agentic Goal Hijack (ASI01), which fuses LLM01 Prompt Injection with LLM06 Excessive Agency.

MCP01:2025 — Token Mismanagement & Secret Exposure

• Description: Hard-coded credentials, long-lived tokens, and secrets stored in model memory, configs, environment variables, or protocol logs. Attackers retrieve them via prompt injection, compromised context, or log access, gaining unauthorized access to downstream systems. Also covers token passthrough, where an MCP server blindly forwards a client-supplied token to upstream APIs.
• Key mitigation: Use short-lived, narrowly-scoped, ephemeral OAuth tokens instead of long-lived PATs; never store secrets in server code, configs, env vars, or model context (use OS-native secure storage like Keychain or Credential Manager); reject token passthrough and have the server obtain its own scoped credentials per audience; validate token audience binding so a token for one server can't be replayed against another.
• Maps to: LLM07 System Prompt Leakage / Sensitive Information Disclosure; CWE-798 Hard-coded Credentials, CWE-522 Insufficiently Protected Credentials.

MCP02:2025 — Privilege Escalation via Scope Creep

• Description: Loosely defined or temporarily-granted permissions on MCP servers expand over time, giving agents excessive capabilities. An attacker exploiting weak scope enforcement performs unintended actions — repository modification, system control, data exfiltration — a classic confused-deputy condition.
• Key mitigation: Enforce least-privilege per server; use scoped, per-server credentials and narrow OAuth scopes (e.g., mail.readonly vs mail.full_access); set automated token/permission expiry with periodic access reviews; apply rate limits, quotas, and timeouts per session/tenant; require human-in-the-loop confirmation for destructive, financial, or data-sharing operations.
• Maps to: LLM06:2025 Excessive Agency (excessive permissions/functionality); Agentic ASI03 Identity & Privilege Abuse; CWE-269 Improper Privilege Management.

MCP03:2025 — Tool Poisoning

• Description: An adversary compromises tools, plugins, or their outputs to inject malicious or misleading context that manipulates model behavior. Includes malicious instructions hidden in tool descriptions and parameter schemas (the schema itself is an injection surface), rug pulls (a server silently changes a tool's definition after the user approved it), schema poisoning, and tool shadowing (a fake/duplicate tool intercepts calls meant for a trusted one).
• Key mitigation: Inspect the full tool schema (name, description, params) before approval; cryptographically pin or hash tool definitions at discovery and re-verify before execution, alerting and re-prompting on any post-approval change (rug-pull detection); run automated scanners (such as mcp-scan or equivalent tooling — note: mcp-scan is an Invariant Labs tool, an external attribution, not stated by OWASP) to detect poisoned descriptions and cross-server shadowing; use strict JSON Schema with additionalProperties:false; strip instruction-like patterns from tool metadata and outputs.
• Maps to: Closely related to LLM01:2025 Prompt Injection and Agentic Tool Misuse; overlaps MCP04 for rug-pulls of third-party servers.

MCP04:2025 — Software Supply Chain Attacks & Dependency Tampering

• Description: MCP ecosystems depend on open-source packages, connectors, and model-side plugins that may be malicious or vulnerable. A compromised dependency or server package can alter agent behavior or introduce execution-level backdoors. Includes typosquatting of MCP server packages and malicious or abandoned third-party servers.
• Key mitigation: Install servers only from verified sources with exact package-name verification; require code review before installation and verify integrity via checksums or code signing; track an SBOM and scan dependencies for known vulnerabilities, blocking servers that fail CI scans; continuously monitor installed servers for post-install malicious behavior.
• Maps to: LLM03:2025 Supply Chain; CWE-1357 / CWE-829 Inclusion of Functionality from Untrusted Control Sphere; aligns with NSA/CISA software supply-chain guidance.

MCP05:2025 — Command Injection & Execution

• Description: Occurs when an agent constructs and executes system commands, shell scripts, API calls, SQL, or code snippets from untrusted input (often LLM-generated parameters) without validation or sanitization, enabling OS command injection, SQL injection, or path traversal.
• Key mitigation: Treat all LLM-generated and tool parameters as untrusted and validate/sanitize at the MCP server layer; use parameterized queries and safe APIs — never concatenate raw shell commands or unsanitized file paths; validate output before returning it to the LLM; sandbox tool execution (containers, chroot, restricted FS/network).
• Maps to: LLM05:2025 Improper Output Handling; CWE-78 OS Command Injection, CWE-89 SQL Injection, CWE-22 Path Traversal. Reportedly ~43% of early-2026 MCP CVEs were shell injections.

MCP06:2025 — Intent Flow Subversion (Prompt Injection via Contextual Payloads)

• Description: Indirect/contextual prompt injection — malicious instructions embedded in retrieved context (tool responses, fetched documents, web-scraped HTML, memory entries, resources) that the agent merges with its instruction template and follows, hijacking the user's original intent ("intent flow subversion"). Because models are built to follow natural-language instructions, this is both powerful and subtle.
• Naming note: The canonical OWASP project index and GitHub list this item verbatim as "MCP06:2025 - Intent Flow Subversion"; "Prompt Injection via Contextual Payloads" is the title of the per-item detail page. Both refer to the same risk.
• Key mitigation: Treat every tool response and retrieved resource as untrusted data, never as instructions, and sanitize before injecting into context; add explicit system-prompt rules that tool/context returns are data and cannot override user or system instructions; strip HTML-like/system tags (<IMPORTANT>, <system>) and alert on imperative "ignore/forget" patterns; use guardrail/plan-review models with intent-alignment and drift detection that pause on deviation; require human approval for destructive actions.
• Maps to: Directly LLM01:2025 Prompt Injection (indirect variant); with autonomous multi-step tool use it amplifies into Agentic Goal Hijack (ASI01).

MCP07:2025 — Insufficient Authentication & Authorization

• Description: MCP systems fail to properly verify identities or enforce access controls across multiple agents, clients, and services — including missing authentication, weak session handling, and token passthrough — allowing impersonation, session hijacking, and unauthorized tool access.
• Key mitigation: Require OAuth 2.1 with PKCE on every remote server, with per-client consent and audience-bound tokens (reject passthrough); bind session IDs to user context (e.g., user_id:session_id) and validate per request using cryptographically random IDs; enforce TLS on all remote (HTTP/SSE) transports, validate the Host header, and verify server identity; apply least-privilege authorization checks at the tool/function level.
• Maps to: OWASP API2 Broken Authentication / API5 Broken Function Level Authorization; aligns with the MCP spec's OAuth 2.1 requirements; CWE-287 Improper Authentication, CWE-306 Missing Authentication.

MCP08:2025 — Lack of Audit and Telemetry

• Description: Limited or absent logging of MCP tool invocations prevents detection and investigation of unauthorized or anomalous actions. Comprehensive, immutable audit trails are essential for forensics and anomaly detection in agentic systems.
• Key mitigation: Log every tool invocation with full parameters, user/session context, correlation IDs, and timestamps; maintain detailed, immutable audit trails integrated with a SIEM; alert on suspicious patterns (new tools, admin-level queries, abnormal frequency); redact secrets and PII from logs and run regular security audits and simulated attacks.
• Maps to: OWASP API9 Improper Inventory Management / Security Logging & Monitoring Failures (Top 10 A09); CWE-778 Insufficient Logging.

MCP09:2025 — Shadow MCP Servers

• Description: Unapproved or unmanaged MCP server deployments operate outside formal security governance — often with default credentials, no monitoring, and untrusted code — expanding the attack surface invisibly (the MCP form of shadow IT).
• Key mitigation: Maintain an approved-server allowlist enforced at an MCP gateway/proxy; verify server identity and block dynamic discovery/registration from untrusted networks; inventory and monitor all servers and disallow default credentials; govern installation through a central, audited process.
• Maps to: Shadow IT / OWASP API9 Improper Inventory Management; related to Agentic identity-and-discovery abuse; CWE-1059 / governance gaps.

MCP10:2025 — Context Injection & Over-Sharing

• Description: Shared context windows or memory expose sensitive information from one task, user, agent, or tenant to another. Includes cross-context data bleed and over-broad context that leaks PII, secrets, or proprietary data between sessions or agents.
• Key mitigation: Strictly partition context per user, session, tenant, and task — never share context windows across trust boundaries; apply field-level access controls and DLP scanning at the MCP proxy; minimize context by passing only the data a tool needs; isolate sensitive servers (payment, auth, PII) from general-purpose ones.
• Maps to: LLM02:2025 Sensitive Information Disclosure; multi-tenant isolation failures; CWE-200 Exposure of Sensitive Information.

Relation to LLM06 Excessive Agency and agentic tool misuse

• MCP is the surface where Excessive Agency becomes real. LLM06 warns about an agent having too much *functionality, permission, or autonomy*; MCP02 (scope creep), MCP05 (command execution), and MCP07 (authz) are exactly where over-broad tool access turns into damaging actions.
• Tool misuse is a protocol-level concern. MCP03 (tool poisoning) and MCP06 (intent flow subversion) are how an attacker *steers* an agent into misusing its authorized tools — the agentic tool-misuse threat realized at the MCP layer.
• Skills sit above, MCP below. Hardening skills alone is insufficient: the same trust boundary must be enforced at the protocol/tool layer where the agent actually executes.

MCP-server hardening checklist

• Tokens & secrets: short-lived scoped OAuth tokens only; no secrets in code/config/env/context; OS-native secret storage; reject token passthrough; validate audience binding; secret-scan in CI and redact logs.
• Least privilege & scope: minimum permissions per server; narrow OAuth scopes; automated expiry and periodic access reviews; rate limits, quotas, timeouts; human-in-the-loop for destructive/financial/data-sharing actions.
• Tool integrity: inspect full tool schemas before approval; cryptographically pin/hash tool definitions and re-verify before execution (rug-pull detection); run poisoning/shadowing scanners; strict JSON Schema (additionalProperties:false); strip instruction-like patterns from metadata and outputs.
• Supply chain: verified sources and exact package names (anti-typosquat); code review + checksums/signing before install; SBOM and dependency scanning; continuous post-install monitoring.
• Injection defense: treat all tool params and LLM output as untrusted; parameterized queries and safe APIs; sandbox execution (containers/chroot, restricted FS/network); treat all retrieved context as data, not instructions; guardrail/plan-review and intent-drift detection.
• Auth & transport: OAuth 2.1 + PKCE on remote servers; audience-bound tokens, no passthrough; session IDs bound to user context and validated per request; TLS everywhere; Host-header validation and server-identity verification; tool-level authz checks.
• Audit & governance: log every invocation (params, identity, correlation IDs, timestamps) to immutable trails + SIEM; alert on anomalies; redact secrets/PII; enforce an approved-server allowlist at a gateway/proxy; block untrusted dynamic discovery; no default credentials; central audited installation.
• Isolation & data: partition context per user/session/tenant/task; field-level access controls and DLP at the proxy; data minimization; isolate sensitive (payment/auth/PII) servers from general-purpose ones.