Model Context Protocol (MCP) Security
Table of Contents
Quick Answer
MCP security protects the connections that let AI applications use external tools, resources, files, data, and APIs. The main controls are trusted server selection, scoped authorization, least-privilege tools, protected credentials, argument validation, sandboxing, human approval for sensitive actions, and complete audit logs.
What Is MCP Security?
Model Context Protocol (MCP) security is the practice of safely connecting AI applications to external capabilities. MCP standardizes how a host application communicates with servers that expose tools, resources, and prompts. The protocol makes integration easier, but it does not automatically decide whether a server, tool, requested action, or returned result should be trusted.
The safest design separates connection from permission. An agent may discover a tool, but a deterministic policy layer must still verify identity, scope, target resource, argument values, business rules, and whether a person must approve the action.
How MCP Hosts, Clients and Servers Work
The host contains the AI application and creates a client for each server connection. The server exposes capabilities, while a separate policy boundary decides which identity may use which capability against which resource.
Application zone
Server zone
Connection is not permission. Discovery and transport never replace resource-level authorization and business-policy checks.
| Component | Role | Primary risk | Required control |
|---|---|---|---|
| Host | Runs the AI application | Over-trusting model output | Policy enforcement |
| Client | Manages a server connection | Unsafe discovery or authorization | Server verification |
| Server | Exposes capabilities | Excessive access | Authentication and scoped authorization |
| Tool | Performs an action | Tool misuse or poisoning | Schema and action validation |
| Resource | Supplies data | Leakage or context injection | Access control and filtering |
| Transport | Carries messages | Hijacking or interception | Secure transport and session handling |
MCP Trust Boundaries
Every boundary can carry identity, permissions, data, instructions, or executable intent. A model response is not authorization. A tool schema is not proof that the implementation behaves as described. A valid token is not proof that the current user should access the requested record. Each layer must independently enforce its responsibility.
Top MCP Security Risks
The OWASP MCP Top 10 is currently a beta-stage living document. It highlights token exposure, excessive scope, tool poisoning, supply-chain compromise, unsafe execution, intent-flow subversion, weak authentication, missing telemetry, shadow servers, and context over-sharing.
MCP risk coverage map
| Group | Categories |
|---|---|
| Identity and authorization | 3 |
| Tools and supply chain | 3 |
| Execution and intent | 2 |
| Audit and governance | 1 |
| Context and data | 1 |
MCP Authentication vs Authorization
| Decision | Question |
|---|---|
| Authentication | Who is the user, client, service, or agent? |
| Authorization | Which resources and actions may this identity use? |
| Policy validation | Is this exact requested action safe in the current context? |
| Approval | Does a person need to confirm the impact? |
OAuth and Scoped Access
For remote servers that handle user data or sensitive operations, use OAuth-based authorization with protected-resource metadata, authorization-server discovery, PKCE, explicit consent, minimum scopes, short-lived tokens, protected token storage, and no token passthrough. OAuth starts the authorization process; the application must still enforce resource-level and business-level policy.
Local vs Remote MCP Servers
| Area | Local server | Remote server |
|---|---|---|
| Main exposure | Local process, files and user privileges | Network, identity and external APIs |
| Credentials | Local credential store or tightly scoped environment | OAuth or equivalent scoped authorization |
| Key control | Sandboxing and process permissions | Authentication, authorization and transport security |
| Common mistake | Running with full user privileges | Broad scopes or weak server trust |
Third-party server review
Can This MCP Server Be Trusted?
Review the server before installation and again whenever definitions, versions or permissions change. Approval should be based on verifiable ownership, constrained access, observable behavior and a practical revocation path.
Ownership and provenance
Confirm who maintains the server and how it is distributed.
Verify- Use an approved registry or documented source.
- Record owner, version and business purpose.
- Reject unclear or abandoned projects for sensitive use.
Requested permissions
Review the exact tools, resources, scopes, files and network destinations requested.
Verify- Prefer read-only access.
- Separate high-impact write tools.
- Avoid broad wildcard scopes.
Tool descriptions and schemas
Treat descriptions, parameter schemas and tool results as untrusted metadata.
Verify- Pin approved definitions.
- Diff changes before rollout.
- Validate actual behavior outside the model.
Execution environment
Limit what local or remote servers can reach.
Verify- Sandbox local processes.
- Restrict outbound network access.
- Keep secrets out of general environment variables.
Monitoring and revocation
Every connection needs logs and a practical way to stop it.
Verify- Log discovery, consent and calls.
- Alert on unusual actions or schema changes.
- Revoke tokens and disable servers quickly.
MCP and Agent-Security Timeline
Protocol guidance and external evidence relevant to MCP identity, authorization, server trust and operational control.
Model Context Protocol
MCP authorization guidance matured
The MCP specification documented OAuth-based authorization, resource metadata, scopes, PKCE, consent, and token-handling expectations.
Official MCP authorization guideOWASP GenAI Security Project
OWASP agentic security benchmark released
OWASP published the Top 10 for Agentic Applications 2026, making identity, tools, memory, supply chain, and autonomy distinct security concerns.
OWASP Agentic Top 10NIST
NIST launched an AI Agent Standards Initiative
NIST highlighted interoperable and secure agents, including identity, authentication, authorization, evaluation, and protocol standards.
NIST announcementOWASP GenAI Security Project
Active exploitation reached an MCP workflow surface
OWASP reported active exploitation involving unsafe Flowise CustomMCP configuration handling, reinforcing that orchestration and configuration are executable trust boundaries.
OWASP Q1 2026 round-up
Case Study: Flowise CustomMCP Exploitation
OWASP's Q1 2026 exploit round-up reported active exploitation involving unsafe Flowise CustomMCP configuration handling. The defensive lesson is broader than one product: configuration, orchestration, custom tools, and server definitions can become executable trust boundaries. Treat them like code, restrict who can change them, patch quickly, and log every privileged configuration change.
This case study intentionally omits vulnerable configuration values and exploitation steps.
Secure MCP Deployment Checklist
- Inventory approved MCP servers and record their owners.
- Verify server provenance, package source and update process.
- Use minimum scopes, short-lived credentials and secure storage.
- Separate read-only tools from write, delete, payment and administration tools.
- Validate tool arguments and business rules outside the model.
- Restrict filesystem, process and network access.
- Sandbox local servers and isolate trust domains.
- Require approval for sensitive, irreversible or externally visible actions.
- Log discovery, consent, calls, results and definition changes.
- Provide token revocation, server disable and emergency rollback controls.
Explore AI Security Topics
FAQs
Sources and further reading
- Model Context Protocol - Introduction — Official MCP architecture and component overview
- Model Context Protocol - Authorization — OAuth-based authorization, scopes, consent and token guidance
- Model Context Protocol - Security Best Practices — Client, server, session and deployment security guidance
- OWASP MCP Top 10 — Beta-stage living document covering MCP security risks
- NIST AI Agent Standards Initiative — Secure and interoperable agent standards work
- OWASP GenAI Incident Exploit Round-Up Q1 2026 — Flowise CustomMCP and other recent agent-security incident lessons