// MCP CVEs

MCP Server CVE Roundup 2026: Tool Poisoning & RCE in the Wild

MCP exploded in 2025 — hundreds of servers shipped by individuals, vendors, and platforms. The CVE volume has caught up. This page indexes the public vulnerabilities by class, with reproduction notes and the upstream fixes.

Updated 2026-06-109 min readVendor-neutral · primary sources

The six MCP CVE families we keep seeing

  1. Tool-description poisoning: malicious instructions in the JSON schema description field steer the host model.
  2. SSRF via fetch/HTTP tools that don't block internal IPs or cloud metadata endpoints.
  3. Path traversal in filesystem servers (../../../etc/passwd) when the root is not enforced server-side.
  4. Command injection in shell or git wrappers that interpolate model output into argv strings.
  5. Authless transports — SSE/HTTP endpoints bound to 0.0.0.0 with no token check.
  6. Confused-deputy: the MCP server holds a powerful token (e.g. GitHub PAT) and acts on whatever the model asks.

Anonymized incident sketches

We're cautious about naming specific servers before patches ship. The patterns below are reproduced verbatim across multiple 2025–2026 advisories on the MITRE CVE feed.

The 'helpful README' case

A popular GitHub-issue MCP server returned full issue bodies to the model. A poisoned issue instructed the model to call the server's create_pull_request tool and exfiltrate .env contents. Fix: strip imperative-language sentences from tool output and require explicit user approval for write operations.

The metadata-endpoint case

A web-fetch MCP server forwarded arbitrary URLs server-side without an allowlist. A poisoned web page told the model to fetch http://169.254.169.254/latest/meta-data/iam/security-credentials/ — full AWS credentials returned into context. Fix: deny RFC1918 + metadata IPs at the transport layer.

The 'just run the SQL' case

A database MCP server accepted free-form SQL from the model. A poisoned dataset triggered DROP TABLE statements. Fix: parameterized queries only; reject DDL; expose narrow named procedures instead of raw SQL.

What to test before connecting any MCP server

  • Read every tool description; look for hidden instructions to the model.
  • Diff the install script and postinstall hooks.
  • netstat -an: confirm the server binds to 127.0.0.1, not 0.0.0.0.
  • Send a request without auth headers — does it succeed?
  • Send a fetch request to 169.254.169.254 and to localhost:22.
  • Send path traversal to filesystem tools.
  • Send shell metacharacters to any command-execution tool.
  • Check whether tool descriptions are signed or content-addressed.
Report responsibly
Most MCP server CVEs in 2025–2026 came from independent researchers. huntr.com and the upstream repo's security policy are usually the right channels.

FAQ

Is there a central MCP CVE database?

Not yet. Track MITRE CVE + GitHub Security Advisories + the MCP working group's security mailing list.

Are official Anthropic-built MCP servers safer?

On average yes — they ship with stdio transports, explicit scopes, and have been red-teamed. Community servers are mixed.

// keep reading

Browse 300+ cybersecurity prompts, 40+ Claude-compatible tools, and daily AI-security intel.

Cybersecurity Prompts →Tool DirectoryMethodology