An MCP Client is the component inside an MCP Host that maintains a one-to-one connection with a single MCP Server. If the host has connections to GitHub, Slack, and a database server, three separate MCP clients are running side by side. Each client handles its own JSON-RPC message loop, capability negotiation, authentication, and tool routing for that server alone.
This isolation matters because it stops one compromised server from directly reading another server’s tokens or data. The MCP Client is also where transport-level security lives. STDIO clients sanitize subprocess arguments. HTTP clients handle OAuth 2.1 flows, store tokens, and validate TLS certificates. A weak client implementation undoes every server-side defense.
Certified MCP Security Expert
Attack, defend, and pen test MCP servers in 30+ hands-on labs. Get certified.
How an MCP Client Works
The client gets spawned by the host, connects to its assigned server over STDIO or Streamable HTTP, and starts the initialize handshake. During this handshake, both sides declare capabilities (tools, resources, prompts, sampling) and negotiate the protocol version. Once initialized, the client lists tools, fetches resource metadata, and forwards every tool call from the LLM to the server. It also handles notifications, including the listChanged event that signals when tool definitions have been updated mid-session.
Why MCP Clients Are a Security-Critical Layer
Clients are where most published CVEs hit in 2025. CVE-2025-6514 in mcp-remote let a malicious server inject shell commands through a crafted authorization_endpoint URL. CVE-2025-49596 in MCP Inspector enabled remote code execution through unsanitized client-side handling. The pattern is the same: clients trust server-supplied data they shouldn’t trust. A client that blindly opens URLs, executes commands, or stores tokens insecurely turns every connected server into a potential RCE primitive.
How to Harden an MCP Client
Validate every field returned by the server before passing it to OS-level functions. Use platform-native secure storage (macOS Keychain, Windows Credential Manager, Linux Secret Service) for OAuth tokens. Require TLS for HTTP transport and pin certificates for high-trust servers. Show tool description changes to the user explicitly. Reject server responses that exceed expected schemas. The Certified MCP Security Expert (CMCPSE) course teaches client-side hardening with real CVE walkthroughs.
Summary
An MCP Client is the per-server connection inside an MCP Host that handles transport, authentication, and message routing. Most MCP-related CVEs in 2025 and 2026 trace back to client-side trust failures. Build, audit, or operate MCP clients the right way with the Certified MCP Security Expert (CMCPSE) certification.