HashiCorp Vault MCP Server — agentic threat model
The HashiCorp Vault MCP Server exposes highly sensitive secrets management capabilities (read/write KV secrets and mount creation) directly to LLMs, presenting a high-impact risk profile if compromised, though mitigated by local-use design and origin-binding controls.
OWASP AIVSS score rationale
| Autonomy of Action | 0.40 | |
| Goal-Driven Planning | 0.20 | |
| Self-Modification | 0.00 | |
| Dynamic Tool Use | 0.90 | |
| Persistent Memory | 0.10 | |
| Contextual Awareness | 0.30 | |
| Dynamic Identity | 0.80 | |
| Multi-Agent Interactions | 0.20 | |
| Non-Determinism | 0.40 | |
| Opacity & Reflexivity | 0.30 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Not certain from the listing — The MCP server itself does not specify a foundation model, but any connected model is susceptible to prompt injection that could trick it into exfiltrating or modifying Vault secrets.
Not certain from the listing — No direct RAG or vector database is mentioned, but the agent acts as a direct pipeline to read and write highly sensitive KV secrets data.
The agent exposes powerful tools (list/read/write KV secrets, create mounts) over stdio and StreamableHTTP. Insecure tool integration or lack of strict input validation could allow an LLM to execute unauthorized Vault operations.
Designed for local use over stdio or StreamableHTTP. The documentation explicitly warns of DNS-rebinding risks on HTTP, requiring the configuration of MCP_ALLOWED_ORIGINS to prevent unauthorized local network access.
Not certain from the listing — The description does not detail built-in logging, audit trails, or guardrails to monitor and intercept anomalous secret retrieval patterns by the LLM.
Demands extremely tight scoping and token privilege management. The agent's access is bound to the underlying Vault token's policies, making proper Vault ACL configuration the primary security boundary.
As an MCP server, it is designed to be called by other client agents. If a parent agent or orchestrator is compromised, the Vault MCP server could be abused to systematically dump or overwrite an organization's entire secrets store.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).