← weaviate/mcp-server-weaviate
weaviate/mcp-server-weaviate — agentic threat model
The Weaviate MCP server presents a significant data-plane risk, acting as a direct vector for prompt injection and memory poisoning that can compromise downstream agents. Its security posture depends heavily on robust credential scoping and input sanitization of retrieved vector data.
OWASP AIVSS score rationale
| Autonomy of Action | 0.20 | |
| Goal-Driven Planning | 0.10 | |
| Self-Modification | 0.40 | |
| Dynamic Tool Use | 0.30 | |
| Persistent Memory | 0.90 | |
| Contextual Awareness | 0.70 | |
| Dynamic Identity | 0.30 | |
| Multi-Agent Interactions | 0.50 | |
| Non-Determinism | 0.40 | |
| Opacity & Reflexivity | 0.30 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Not certain from the listing — The MCP server itself does not define or host the foundation model, but retrieved documents from Weaviate directly feed the model, creating a significant prompt-injection surface.
This layer is highly critical as the server directly manages Weaviate collections. Primary threats include knowledge-base poisoning via malicious document injection, embedding inversion, and unauthorized data exfiltration of sensitive vectorized data.
The server acts as a tool and chat-memory store. Memory poisoning is a major threat, where malicious inputs are persisted into the vector database and subsequently retrieved to hijack agent orchestration or planning flow.
Not certain from the listing — The deployment environment (local MCP host, network access to Weaviate instance) is managed by the user, though credential scoping and network exposure of the Weaviate instance are key risks.
Not certain from the listing — No built-in evaluation, logging, or guardrail mechanisms are described in the directory listing to detect poisoned embeddings or anomalous retrieval patterns.
Credential scoping is explicitly mentioned as a key security boundary. Weak access controls or over-privileged API keys could allow unauthorized read/write access to sensitive Weaviate collections.
In a multi-agent ecosystem, sharing a Weaviate collection as a common memory store introduces risks of cross-agent memory poisoning and horizontal privilege escalation if agents trust retrieved data implicitly.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).