The fastest path into most AI agent deployments is not a zero-day exploit. It is a default configuration that nobody reviewed. MCP servers ship with insecure defaults because the protocol prioritizes ease of integration. Most teams racing to deploy AI capabilities accept those defaults without a systematic audit. That gap is exactly where attackers are currently focusing.
Over the past several months, as MCP adoption has accelerated across enterprises, a pattern has emerged in security assessments of AI agent infrastructure. The vulnerabilities found are rarely novel. They are the same misconfiguration categories we documented in API gateways a decade ago: missing authentication, overly permissive access scopes, absent logging, no transport security.
What makes them more dangerous in MCP environments is the context. These aren’t web APIs returning structured JSON. They are interfaces into AI agents that can read files, execute code, send emails, access databases, and take actions across an organization’s entire connected toolset.
A misconfigured MCP server is not just an exposed endpoint. It is an exposed endpoint with an AI agent attached to it. The blast radius of every misconfiguration scales with the agent’s capabilities.
What Counts as an MCP Security Misconfiguration
An MCP server security misconfiguration is any deviation from a secure baseline in the configuration of a Model Context Protocol server. This includes missing authentication controls, overly broad tool permissions, absent transport encryption, disabled audit logging, or failure to validate tool input schemas.
Misconfigurations differ from software vulnerabilities: they are caused by insecure defaults or operator decisions, not coding errors. This means they are fully preventable through systematic audit.
The distinction between a vulnerability and a misconfiguration matters for how you prioritize remediation. Software vulnerabilities require patches from the vendor and may have no available fix on a given timeline. Misconfigurations are entirely within the operator’s control. Every misconfiguration on this list can be remediated today, without waiting for a vendor update, without purchasing additional tooling, and in most cases without taking the MCP server offline.
Scope note: This audit guide assumes you have administrative access to the MCP server’s configuration. If you are assessing a third-party MCP server you do not control, the audit steps remain valid as a detection exercise. Remediation will require vendor engagement for anything beyond client-side controls.
The Eight Critical Misconfigurations
These are ordered by severity and exploitation frequency based on current MCP deployment assessments. Each entry includes what to look for, what the risk is if left unaddressed, and what the correct configuration looks like.
MC-01: No Authentication on MCP Endpoints
Severity: CRITICAL
How to detect
Send an unauthenticated GET request to the tool manifest endpoint. If you receive a 200 response with tool descriptions, authentication is absent. Test all three endpoint types: manifest, tool invocation, and resource access.
Risk if unaddressed
Any process or user on the network—or externally if the server is internet-facing—can invoke tools, retrieve sensitive data, and enumerate the full agent capability set without credentials.
Correct configuration
Every MCP endpoint must require authentication. Use API key authentication at minimum; OAuth 2.0 or mTLS for high-privilege servers. Return 401 on unauthenticated requests to all endpoints including the manifest.
MC-02: Overpermissioned Tool Scopes
Severity: CRITICAL
How to detect
Pull the tool manifest and list every tool’s declared capabilities. For each tool, document the minimum permission set required for the agent’s actual task. Compare against what the tool is currently permitted to do. Any delta is overpermissioning.
Risk if unaddressed
A successfully injected instruction can invoke any capability the tool has been granted. Not just the capabilities the agent’s task requires. Overpermissioning converts a contained exploit into a full-capability compromise.
Correct configuration
Implement task-scoped permissions. A summarization agent needs read access, not write. A scheduling agent needs calendar write, not filesystem access. Enforce permission scopes at the server layer, not the prompt layer.
MC-03: Missing Transport Encryption (No TLS)
Severity: CRITICAL
How to detect
Verify the MCP server’s listening address. Confirm whether HTTP or HTTPS is in use. Attempt a plaintext HTTP connection. If it succeeds and returns tool data, TLS is not enforced. Check certificate validity and expiry if HTTPS is in use.
Risk if unaddressed
All tool invocations, parameter values, and tool responses—which may include sensitive data retrieved from connected services—are transmitted in plaintext and visible to any network-positioned adversary.
Correct configuration
Enforce HTTPS on all MCP endpoints. Reject plaintext HTTP connections with a 301 redirect at minimum. Or drop them at the network layer. Use certificates with a validity period of 90 days or less and automate renewal.
MC-04: No Tool Allowlisting
Severity: HIGH
How to detect
Review server configuration for an explicit tool allowlist. If no allowlist exists, all tools registered with the server are invocable by any authenticated agent session. Test by attempting to invoke tools outside the agent’s intended capability set.
Risk if unaddressed
A prompt injection attack that successfully executes can invoke any tool available on the server. Including tools that were registered for a different agent or a different task context. This expands available exfiltration and lateral movement paths.
Correct configuration
Implement per-session or per-agent tool allowlists. Each agent session should have an explicit list of tools it is authorized to invoke. Tool invocations against tools not on the list should be rejected at the server layer and logged.
MC-05: Disabled or Absent Audit Logging
Severity: HIGH
How to detect
Execute a tool invocation and verify that a log entry was created. Check whether the log captures: timestamp, authenticated identity, tool name invoked, parameter values passed, and response status. Invoke a tool with malformed parameters and verify the validation failure is logged.
Risk if unaddressed
Active attacks—including prompt injection exploitation, unauthorized tool invocations, and data exfiltration—produce no forensic record. Incident response is blind. You cannot confirm whether an attack occurred, when it started, or what it accessed.
Correct configuration
Log every tool invocation with the full parameter set, every manifest request, every authentication event (success and failure), and every input validation rejection. Ship logs to a SIEM with tamper-evident storage. Retain for a minimum of 90 days.
MC-06: Missing Input Schema Validation
Severity: HIGH
How to detect
Submit tool invocations with parameters that violate the declared schema: wrong types, values outside declared ranges, excessively long strings, null values in required fields, and special characters in string parameters. If the server processes rather than rejects these inputs, schema validation is not enforced server-side.
Risk if unaddressed
Adversarially crafted tool parameters can trigger unexpected behavior in downstream services. SQL injection through database tools, path traversal through filesystem tools, or command injection through shell execution tools. The LLM is an untrusted input generator that will follow injected instructions to craft malicious parameters.
Correct configuration
Enforce strict JSON Schema validation on all tool parameters at the server layer before the tool executes. Reject inputs that fail validation with a 400 response and a logged error. Never rely on the LLM to sanitize its own tool parameters. The model is not a trust boundary.
MC-07: Unauthenticated Manifest Endpoint
Severity: MEDIUM
How to detect
Send an unauthenticated request specifically to the tool manifest endpoint (distinct from the tool invocation endpoint). Many servers that require auth for tool calls leave the manifest endpoint publicly accessible to support discoverability. Confirm whether tool names, descriptions, and parameter schemas are returned without credentials.
Risk if unaddressed
Public manifest exposure gives attackers a complete capability inventory for reconnaissance. Tool names, parameter schemas, and description text before they have obtained any credentials. This significantly accelerates targeted prompt injection and tool poisoning attacks against the server.
Correct configuration
The manifest endpoint should require the same authentication as the tool invocation endpoint. If discoverability for legitimate clients is required, implement manifest access with read-only scoped credentials separate from tool invocation credentials.
MC-08: No Rate Limiting on Tool Invocations
Severity: MEDIUM
How to detect
Submit a high-frequency burst of authenticated tool invocations. 50+ requests in under 10 seconds. Observe whether the server applies any throttling. Check whether the server returns 429 responses or continues processing at full throughput indefinitely.
Risk if unaddressed
A compromised or injected agent can perform high-volume data exfiltration through unrestricted tool calls. Absent rate limiting also removes a behavioral anomaly signal. Unusually high invocation rates are often the earliest indicator of an active injection compromise.
Correct configuration
Implement per-session and per-tool rate limits. Establish a baseline of normal invocation frequency per task type and configure alerts for deviations exceeding 2x the baseline. Rate limit responses should be logged. Sustained rate limit triggering is itself an incident indicator.
Running the Audit: A Two-Hour Procedure
The following procedure covers all eight misconfiguration categories and can be completed against a single MCP server in approximately two hours by a practitioner with network access to the server and basic familiarity with HTTP tooling. It does not require specialized tooling. cURL, a proxy, and the server’s configuration file are sufficient for most checks.
Test MC-01: Unauthenticated manifest access
curl -s -o /dev/null -w "%{http_code}" http://your-mcp-server/manifest
Expected: 401 | Fail: 200
Test MC-03: Confirm TLS enforcement
curl -s -o /dev/null -w "%{http_code}" http://your-mcp-server/tools/invokeExpected: 301 or connection refused | Fail: 200
Test MC-06: Test schema validation with malformed input
curl -X POST -H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
-d '{"tool":"read_file","params":{"path":"../../../etc/passwd"}}' \
https://your-mcp-server/tools/invokeExpected: 400 validation error | Fail: 200 with file content
Test MC-08: Baseline rate limit check
for i in {1..60}; do
curl -s -o /dev/null -w "%{http_code}\n" \
-H "Authorization: Bearer $TOKEN" \
https://your-mcp-server/tools/invoke &
doneExpected: 429 responses after threshold | Fail: all 200
Conclusion
These eight misconfigurations are preventable. Audit this week. Build checks into your deployment pipeline. Treat audits as ongoing practice, not a project.
Ready to build complete MCP security? The Certified MCP Security Expert (CMCPSE) course covers authentication, hardening, incident response, and governance. Launching June 2026. Reserve early access.
Hands-on labs covering MCP server auditing, misconfiguration exploitation, prompt injection simulation, and enterprise defensive architecture. Built by practitioners who run these assessments in production environments.
Reserve early access at practical-devsecops.com
