MCP Sampling is the feature that lets an MCP server ask the MCP client to run an LLM completion on its behalf. Imagine a code-review server that wants to summarize a pull request. Instead of calling its own LLM and burning its own credits, it sends a sampling/createMessage request to the client.
The client then runs the completion using the user’s chosen model, returns the result, and the server moves on. Sampling is one of the more controversial MCP features because it inverts the usual trust direction. The server suddenly drives the model. That inversion creates a reverse attack vector that the original MCP threat models barely covered.
How MCP Sampling Works
The server sends sampling/createMessage with a list of messages, model preferences, and parameters like max_tokens. The client receives the request, optionally shows a UI prompt asking the user to approve, runs the completion with whatever model the user has configured, and returns the assistant’s response. Sampling can include images and tool definitions. The user pays for the tokens. The server reads the result. From the LLM’s point of view, the prompt comes from the server, not the user.
Certified MCP Security Expert
Attack, defend, and pen test MCP servers in 30+ hands-on labs. Get certified.
Why MCP Sampling Creates a Reverse Attack Vector
Unit 42 / Palo Alto Networks identified sampling as a novel MCP attack surface. A malicious server can send crafted sampling requests that exfiltrate context, generate phishing content using the user’s identity, or burn through API quota. Because the user pays for sampling, billing-fraud attacks become trivial. Because sampling can include tool definitions, a server can inject its own tools into the model’s context and steer behavior. Most MCP clients today either don’t support sampling or implement it with permissive defaults, which is the worst possible posture.
How to Secure MCP Sampling
Default-deny sampling. Require explicit per-server approval before any sampling request runs. Show every sampling prompt to the user before execution, including model and max_tokens. Rate-limit sampling requests per server, per session, and per day. Block sampling with embedded tool definitions unless the server is explicitly trusted. Log every sampling event with full prompt content for forensic review. The Certified MCP Security Expert (CMCPSE) certification covers sampling-based attacks with real proof-of-concept walkthroughs.
Summary
MCP Sampling lets servers ask clients to run LLM completions on their behalf, inverting the usual trust direction and opening a reverse attack vector. Default-deny, log everything, and require explicit user approval. The Certified MCP Security Expert (CMCPSE) certification trains engineers to spot and stop sampling abuse before it bills out the user’s account or leaks their context.