Canva MCP Server — agentic threat model
The Canva MCP Server introduces significant agentic risk by bridging LLMs directly to a user's Canva account, enabling automated design creation, brand asset manipulation, and file exports via OAuth. The primary risk lies in unauthorized data exfiltration of proprietary brand assets and intellectual property if an agent is manipulated via prompt injection.
OWASP AIVSS score rationale
| Autonomy of Action | 0.60 | |
| Goal-Driven Planning | 0.50 | |
| Self-Modification | 0.10 | |
| Dynamic Tool Use | 0.70 | |
| Persistent Memory | 0.30 | |
| Contextual Awareness | 0.60 | |
| Dynamic Identity | 0.50 | |
| Multi-Agent Interactions | 0.40 | |
| Non-Determinism | 0.60 | |
| Opacity & Reflexivity | 0.50 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Not certain from the listing — The Canva MCP server does not specify its underlying foundation model, but it is susceptible to prompt injection attacks that could force the model to abuse the provided Canva tools to exfiltrate or alter brand assets.
The server accesses sensitive brand templates, user designs, and media assets. The primary threat is data exfiltration of proprietary design IP and unauthorized modification of brand assets via the search and autofill tools.
The MCP framework exposes tools for creating, editing, and exporting designs. Insecure tool integration or lack of strict input validation on the agent side could allow malicious instructions to trigger unintended design exports or content generation.
The service is hosted by Canva as a remote server. Security relies heavily on the isolation of this hosted environment and the secure handling of OAuth tokens used to authenticate the remote MCP connection.
Not certain from the listing — There is no mention of built-in guardrails, logging, or anomaly detection to monitor for unusual export volumes or unauthorized brand template modifications initiated by the agent.
Authentication is handled via hosted OAuth, which provides a robust identity layer. However, fine-grained authorization (authZ) within the Canva account is critical to prevent the agent from accessing assets outside its intended scope.
As an MCP server, this tool is designed to be called by other orchestrators and agents. This introduces cascading risks where a compromised upstream agent can abuse the Canva MCP tools to deface designs or exfiltrate data.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).