MCP security fundamentals matter because the Model Context Protocol now connects AI agents to databases, cloud APIs, file systems, and internal tools across the enterprise. One compromised MCP server gives an attacker the same reach as the AI agent it serves.
The evidence is already public. CVE-2025-49596 hit MCP Inspector at CVSS 9.4. The first malicious MCP package ran undetected for two weeks in September 2025 while exfiltrating email data. If your team ships AI agents, you need to know what MCP exposes and how to protect it.
What MCP security covers
MCP is an open protocol from Anthropic, released in late 2024. It connects LLMs to external tools using a client-server model over JSON-RPC 2.0. MCP security covers every component in that chain: the host application, the MCP client, the MCP server, the transport layer, the tools each server exposes, and the credentials the server holds. The MCP specification states the protocol does not enforce security at the protocol level. That responsibility sits with implementers.
How MCP security differs from API security
Traditional API security assumes a human sends a request through a UI. MCP changes that assumption. An LLM picks the tool, builds the arguments, and triggers the call based on input that may include data from emails, tickets, files, or web pages.
That input can carry hidden instructions. Signature-based controls miss attacks that operate at the semantic level. The AI itself becomes a confused deputy. So MCP security has to handle prompt injection, tool poisoning, and credential abuse on top of standard authn/authz, transport, and supply chain risks.
The 5 pillars of MCP security
1. Authentication and authorization
Use OAuth 2.1 with PKCE. Validate token audience on every inbound request. MCP servers must reject tokens not issued for them. No token passthrough. Bind sessions to user identity. The MCP specification 2025-11-25 lets you delegate auth to an external identity provider, which cuts custom code.
2. Transport security
Use TLS 1.3 for all remote MCP traffic. Apply mTLS for server-to-server calls. Turn on DNS rebinding protection for any local HTTP transport. Local stdio transport carries different risks since it runs on the host with full user privileges.
3. Input validation
Treat every tool input as hostile. Sanitize before it reaches a database, shell, or another API. Watch for prompt injection through tool descriptions, resource content, and external data the agent reads. The Anthropic SQLite MCP server, forked 5,000+ times, had a SQL injection flaw that enabled stored prompt injection.
4. Session management
Generate session IDs with a cryptographically secure RNG. Bind them to user identity using a format like <user_id>:<session_id>. Rotate, expire, and invalidate sessions on logout. Never use sessions as the authentication mechanism. Set HTTPS-only and SameSite cookie flags.
5. Supply chain
Pin MCP server versions. Verify package signatures. Run SCA on all dependencies. Watch for typosquatted MCP packages on npm and PyPI. The September 2025 incident was a malicious package, not a code flaw. A signed-package policy would have blocked it.
Top MCP attack patterns to know
- Prompt injection:
Hidden instructions inside data the AI processes. The agent acts on them as if they came from the user. - Tool poisoning:
An attacker changes a tool’s description or schema so the AI calls it incorrectly. OWASP MCP Top 10 lists this as a top risk. - Confused deputy:
The MCP server acts with its own permissions instead of the user’s. The AI gets more access than intended. - Token passthrough:
An MCP server forwards an upstream token instead of one issued to itself. This bypasses audience checks. - Session hijacking:
Weak or predictable session IDs let an attacker take over a logged-in user. - Excessive tool permissions:Â
A server registers tools with broad scopes. The AI invokes them, and damage spreads laterally. - Supply chain compromise:
A malicious or backdoored MCP package executes with full user privileges on the host.
A starting checklist
- Inventory every MCP server linked to your AI applications.
- Apply OAuth 2.1 + PKCE on all remote MCP servers.
- Validate token audience on every inbound request.
- Sanitize every tool input and output.
- Sign and verify MCP packages before install.
- Log every tool invocation with user, session, server, and arguments.
- Rate limit per user, session, and tool.
- Run a tabletop exercise on prompt injection through email.
- Map your controls to OWASP MCP Top 10.
Conclusion
Hands-on labs build the skill faster than reading specs. The Certified MCP Security Expert (CMCPSE) course from Practical DevSecOps covers MCP threat modeling, OWASP MCP Top 10, authn/authz patterns, prompt injection defense, tool poisoning detection, and secure MCP server build practices. The course runs in browser-based labs, so you practice exploits and fixes on real MCP servers. If you ship AI agents to production, your team needs this skill before an attacker tests it for you.
