A chronicle of publicly disclosed security incidents in the Model Context Protocol ecosystem.https://modelcontextproblems.com/en-ushttps://modelcontextproblems.com/#incident-15/https://modelcontextproblems.com/#incident-15/Aonan Guan, who leads cloud and AI security at Wyze Labs, publicly disclosed his second Claude Code network sandbox bypass in five months. The latest issue is a SOCKS5 hostname null-byte injection. Claude Code's proxy enforces its egress allowlist by passing the raw DOMAINNAME bytes from a CONNECT request through a JavaScript `endsWith()` check against the user's wildcard policy. JavaScript treats `\x00` as an ordinary UTF-16 code unit, so a crafted host like `attacker-host.com\x00.google.com` matches an allowlist entry for `.google.com` and is approved. When libc later resolves the hostname via `getaddrinfo()`, the C runtime truncates at the null byte and dials `attacker-host.com` instead. Every release from v2.0.24 (sandbox GA on Oct 20, 2025) through v2.1.89 was vulnerable. Anthropic shipped a fix in v2.1.90 on April 1, 2026, with no security note in the changelog, no advisory on the Claude Code page, and no CVE assigned. Exfiltration paths reachable from inside the sandbox include MCP server configs, `~/.claude.json`, project source, and anything else the agent could read.Wed, 20 May 2026 00:00:00 GMThighdata-exfiltrationsandbox-escapeauthenticationhttps://modelcontextproblems.com/#incident-13/https://modelcontextproblems.com/#incident-13/The NSA's Artificial Intelligence Security Center released a Cybersecurity Information Sheet titled "Model Context Protocol (MCP): Security Design Considerations for AI-Driven Automation." The document flags MCP's "rapid proliferation [that] has outpaced the development of its security model." It calls out the protocol's inversion of the typical client-server pattern (the server can prompt the client to take actions) and enumerates systemic concerns: trust boundary ambiguity, unverified task propagation, session-replay risk, and serialization issues. It urges "heightened scrutiny" for production deployments, especially in national-security and high-assurance environments.Wed, 20 May 2026 00:00:00 GMTinformationalprotocol-designgovernment-guidanceadvisoryai-supply-chainhttps://modelcontextproblems.com/#incident-14/https://modelcontextproblems.com/#incident-14/TeamPCP's Mini Shai-Hulud worm campaign ran through April and May 2026, hijacking npm maintainer accounts and publishing self-propagating malware across more than 600 packages on npm and PyPI. The May 19 wave compromised the `atool` and `prop` accounts and pushed 639 malicious versions across 323 packages in Alibaba's @antv data visualization ecosystem in a 22-minute automated burst. Earlier waves hit SAP CAP / `mbt` (April 29), TanStack (May 11), Mistral AI, Guardrails AI, UiPath, and OpenSearch. Each compromised release ships a preinstall hook that downloads the Bun JavaScript runtime as a living-off-the-land binary, then executes a credential harvester that sweeps cloud tokens, CI secrets, and password-manager vaults. The novel part: the payload reads `~/.claude.json` and the host's MCP server configurations, then appends `SessionStart` hooks to `.claude/settings.json` so the next time Claude Code opens any project on the machine, the malware re-executes with full agent privileges. Researchers at Akamai, Snyk, Wiz, StepSecurity, and Phoenix Security all confirmed the AI-coding-agent persistence behavior independently.Tue, 19 May 2026 00:00:00 GMTcriticalsupply-chaincredential-theftexploited-in-the-wildai-supply-chainhttps://modelcontextproblems.com/#incident-12/https://modelcontextproblems.com/#incident-12/Pluto Security disclosed a critical (CVSS 9.8) vulnerability in nginx-ui's Model Context Protocol implementation. The MCP integration split traffic across two HTTP endpoints. `/mcp` handles session establishment and was correctly gated by an IP whitelist and auth middleware. `/mcp_message` handles tool invocation, including configuration writes and server restart, and shipped with no authentication at all. The default IP whitelist is empty, so the unauthenticated endpoint accepted connections from any address. Shodan turned up over 2,600 publicly exposed nginx-ui instances on the default port 9000. Pluto disclosed in early March 2026, v2.3.4 fixed it, and Recorded Future later listed the CVE among 31 vulnerabilities actively exploited by threat actors in March 2026.Sat, 25 Apr 2026 00:00:00 GMTcriticalrceauthenticationexploited-in-the-wildsupply-chainhttps://modelcontextproblems.com/#incident-11/https://modelcontextproblems.com/#incident-11/OX Security disclosed a systemic command-injection vulnerability in Anthropic's official MCP SDKs across Python, TypeScript, Java, and Rust. The STDIO transport invokes a configured command string through the OS shell unconditionally. If the intended MCP binary doesn't exist, the shell still executes whatever command was supplied. OX identified four distinct exploitation families all tracing back to the same root cause, affecting more than 7,000 publicly accessible servers and 150 million package downloads, with an estimated 200,000 vulnerable instances across the ecosystem. Anthropic acknowledged the behavior, declined to modify the protocol, and updated its security guidance to advise that STDIO adapters be "used with caution." The company characterized the existing design as a *secure default* with sanitization being the developer's responsibility. Downstream CVEs already cluster around the same root cause: CVE-2026-22252 (LibreChat), CVE-2026-22688 (WeKnora), CVE-2025-54994 (@akoskm/create-mcp-server-stdio).Wed, 15 Apr 2026 00:00:00 GMTcriticalrcecommand-injectionsupply-chainprotocol-designhttps://modelcontextproblems.com/#incident-10/https://modelcontextproblems.com/#incident-10/At its core, the article argues that MCP is too token-hungry to be practical at production scale, with tool definitions consuming the majority of context before any user request is even processed. Several major companies are independently abandoning it in favor of lighter-weight alternatives like traditional APIs and CLIs.Mon, 16 Mar 2026 00:00:00 GMTinformationalprotocol-designai-supply-chainvendor-abandonmenthttps://modelcontextproblems.com/#incident-9/https://modelcontextproblems.com/#incident-9/Noma Labs discovered the ContextCrush vulnerability in Context7, a registry that delivers coding documentation to AI assistants via an MCP server. Attackers manipulated the platform's Custom Rules feature to plant malicious instructions. When an AI coding assistant (like Cursor or Windsurf) queried the documentation, it ingested the poisoned rules via the trusted MCP channel and autonomously executed harmful actions, such as stealing .env files.Wed, 18 Feb 2026 00:00:00 GMTcriticalprompt-injectioncredential-theftsupply-chainhttps://modelcontextproblems.com/#incident-8/https://modelcontextproblems.com/#incident-8/BlueRock researchers discovered a severe Server-Side Request Forgery (SSRF) flaw in the MCP server built for Microsoft's MarkItDown file converter. The server failed to validate URIs, allowing attackers to force the AI agent to query local cloud metadata endpoints (e.g., AWS 169.254.169.254). Subsequent scans revealed over 36% of public MCP servers contained similar SSRF vulnerabilities.Wed, 21 Jan 2026 00:00:00 GMTcriticalssrfcloud-metadataawshttps://modelcontextproblems.com/#incident-7/https://modelcontextproblems.com/#incident-7/Cyata researchers disclosed a chain of critical vulnerabilities in Anthropic's official Git MCP server. The flaws included an unrestricted git_init function, a path-validation bypass, and an argument-injection vulnerability. Attackers could chain these to turn arbitrary directories into Git repositories, overwrite system files, and achieve RCE via malicious .git/config manipulation.Tue, 20 Jan 2026 00:00:00 GMThighrcefile-overwritegithttps://modelcontextproblems.com/#incident-6/https://modelcontextproblems.com/#incident-6/Cymulate disclosed two high-severity defects in Anthropic's official Filesystem MCP Server. Attackers exploiting these flaws could list, read, or write to directories outside the allowed scope. If the server was run as a privileged user, this could lead to full sandbox escape, manipulation of critical system files, and privilege escalation.Tue, 15 Jul 2025 00:00:00 GMThighsandbox-escapeprivilege-escalationfilesystemhttps://modelcontextproblems.com/#incident-5/https://modelcontextproblems.com/#incident-5/Oligo Security and Tenable discovered a critical flaw (CVSS 9.4) in the Anthropic MCP Inspector tool. Because the interactive web UI launched via localhost lacked out-of-the-box authentication, an attacker on the same local network could inject malicious commands (NeighborJacking) or use cross-site attacks to achieve RCE.Thu, 10 Jul 2025 00:00:00 GMTcriticalrcelocal-networkauthenticationhttps://modelcontextproblems.com/#incident-4/https://modelcontextproblems.com/#incident-4/The JFrog Security Research team discovered a critical vulnerability (CVSS 9.6) in mcp-remote, a popular proxy tool (over 437,000 downloads) used to connect local LLM hosts to remote MCP servers. If a user connected to a malicious remote MCP server, the server could send a booby-trapped authorization_endpoint URL that achieved full arbitrary OS command execution on the user's local machine.Wed, 09 Jul 2025 00:00:00 GMTcriticalrcecommand-injectionmcp-remotehttps://modelcontextproblems.com/#incident-3/https://modelcontextproblems.com/#incident-3/Work management platform Asana had to temporarily disable its experimental MCP feature after discovering a logic flaw in its implementation. The misconfiguration failed to isolate cross-tenant data, meaning AI agents could potentially access customer data, projects, and tasks belonging to entirely different organizations.Wed, 18 Jun 2025 00:00:00 GMThighdata-leakcross-tenantauthorizationhttps://modelcontextproblems.com/#incident-2/https://modelcontextproblems.com/#incident-2/A severe vulnerability (CVSS 8.8) dubbed AgentSmith was disclosed in LangSmith's Prompt Hub. The flaw exposed AI agents using MCP to data theft and manipulation, allowing malicious agents to hijack LLM responses and steal user API keys.Thu, 12 Jun 2025 00:00:00 GMThighcredential-theftllm-manipulationprompt-hubhttps://modelcontextproblems.com/#incident-1/https://modelcontextproblems.com/#incident-1/Security researchers at Invariant Labs discovered a critical vulnerability affecting the official GitHub MCP integration. Attackers could create maliciously crafted issues in public repositories. When a developer asked their AI assistant to check open issues, the AI would read the malicious payload, get prompt-injected, and autonomously use the developer's credentials to exfiltrate private repository data (such as source code and salary information) into public pull requests.Mon, 26 May 2025 00:00:00 GMTcriticalprompt-injectiondata-exfiltrationgithub