The OWASP MCP Top 10 is the first official security framework dedicated to the Model Context Protocol. Published in 2025 and currently in beta under project lead Vandana Verma Sehgal, it catalogs the ten risk categories most likely to break an MCP deployment. This is not theoretical.
Between January and February 2026 alone, researchers filed over 30 CVEs targeting MCP servers, clients, and tooling. Forty-three percent were shell injections. Palo Alto Unit 42 found that with five connected MCP servers, a single compromised server hit a 78.3% attack success rate. If you run agentic AI in production, this list applies to you.
What the OWASP MCP Top 10 Actually Is
It is a living document maintained at owasp.org/www-project-mcp-top-10. Risks are numbered MCP01:2025 through MCP10:2025. Categories are stable enough to cite, though rankings may shift as Phase 3 beta wraps. It exists because MCP changed the threat model. Before MCP, agents had a small, fixed toolset hardcoded into the app. With MCP, agents discover tools at runtime from any reachable server, and every server is a trust boundary.
The OWASP MCP Top 10 Risks (Full Breakdown)
MCP01: Token Mismanagement & Secret Exposure:
Hard-coded credentials, long-lived tokens, and secrets stored in model memory or logs. Attackers pull them through prompt injection or debug traces. Defense: Short-lived scoped tokens. Secret scanning. Never store secrets in agent context.
MCP02: Privilege Escalation via Scope Creep:
Permissions expand and rarely contract. Defense: Least-privilege scopes. Automated expiry. Quarterly access reviews.
MCP03: Tool Poisoning:
Malicious instructions hidden in tool descriptions, parameter schemas, or return values. The model reads them. The user does not. Defense: Pin and hash tool descriptions on first approval. Re-prompt on change. Strip instruction-like patterns (<IMPORTANT>, <system>) from tool outputs.
MCP04: Software Supply Chain Attacks & Dependency Tampering:
Compromised MCP packages, typosquatted servers, fake “official” connectors. The first malicious MCP package landed in September 2025.
Defense: Signed components. SBOM tracking. Block any server that fails CI scan.
MCP05: Command Injection & Execution:
The biggest pattern in 2026 CVE data. Agents build shell commands, SQL queries, or API calls from untrusted input.
Defense: Parameterized queries. Strict input validation. Sandbox tool execution. No raw shell concatenation, ever.
MCP06: Prompt Injection via Contextual Payloads:
Hidden instructions buried in retrieved data or tool responses hijack the agent. Defense: Treat tool output as data, not instructions. System prompt rules that override tool-returned commands. Human approval for destructive actions.
MCP07: Insufficient Authentication & Authorization.
CVE-2026-32211 hit the Azure MCP Server because the auth layer was missing. Common pattern. Defense: OAuth 2.1 with PKCE on every server. Per-client consent. Reject token passthrough.
MCP08: Lack of Audit and Telemetry
JSON-RPC 2.0 traffic does not fit standard SIEM rules. Most teams cannot reconstruct an MCP attack. Defense: Log every tool invocation, parameter, and decision. Pipe into SIEM with correlation IDs.
MCP09: Shadow MCP Servers
Agents discover servers dynamically. Without a trusted registry, a rogue server impersonates a real one and hijacks tool calls. Defense: Approved-server allowlist at the gateway. Server identity verification. Block dynamic discovery from untrusted networks.
MCP10: Context Injection & Over-Sharing
Shared context windows leak data across agents, sessions, or users. Tool responses dump too many fields into the model. Defense: Field-level access controls. DLP scanning at the proxy. Strict context partitioning per user and session.
Where to Start: Week-by-Week Prioritization
You do not fix all ten at once. Honest priority order:
Week 1. Fix MCP01, MCP07, MCP08. Short-lived tokens, OAuth 2.1, full audit logging. Closes most active CVE patterns.
Week 2. Hit MCP05 and MCP04. Parameterize every tool that touches a shell or database. Add CI scanning.
Week 3. Tackle MCP03, MCP06, MCP10 with a runtime proxy that inspects tool descriptions, arguments, responses, and applies DLP.
Week 4. Close MCP02 and MCP09 with an identity gateway and a server allowlist.
The Skills Gap Is Massive
Most AppSec engineers have never run an OWASP MCP Top 10 audit. The skill is new and high-paying right now. The Practical DevSecOps Certified MCP Security Expert (CMCPSE) course teaches every category in this list hands-on: tool poisoning labs, OAuth 2.1 hardening, MCP red-teaming, shadow server detection, and gateway architecture. If you secure agentic AI, this is the cert to put on your resume in 2026.
Conclusion
The OWASP MCP Top 10 is the playbook. Treat every MCP server as untrusted. Token hygiene, OAuth 2.1, audit logs, runtime inspection, and a server allowlist close most of the attack surface. Skip them, and you are one tool description away from an agent shipping your secrets.
Ready to learn every risk in this list hands-on? Enroll in the Certified MCP Security Expert (CMCPSE) course and become the MCP security expert your team needs in 2026.
FAQs
Yes. OWASP Foundation project led by Vandana Verma Sehgal. Beta as of 2026.
LLM Top 10 covers the model and its wrapping app. MCP Top 10 covers the protocol agents use to call external tools.
MCP01 (Token Mismanagement). Highest impact. Easiest to start.
