Attacks on MCP deployments
A reference catalogue of known attacks against MCP (Model Context Protocol) deployments. Every entry documents how the attack works, a verified real-world incident or proof-of-concept, detection signals, and a concrete policy pattern that defends against it.
MCP ships tools from untrusted servers into agent contexts. The protocol itself has no opinion about authorisation, rate limits, or spend caps — which leaves every deployment one missed middleware call away from a full compromise. This database tracks the specific ways that has gone wrong.
Entries are grouped by attack surface: protocol-level flaws in the transport itself, agent behaviour issues where the agent misuses tools, credential and data attacks, and supply chain compromises of MCP servers and packages.
Subscribe to the RSS feed to track new entries.
Protocol-level attacks
Attacks that exploit the MCP protocol itself — auth bypasses, command injection in the transport layer, and poisoned tool metadata.
Agent behaviour attacks
Attacks that exploit how agents reason about and chain tool calls — runaway loops, destructive autonomy, and prompt injection.
Credential & data attacks
Attacks that target credentials, sessions, and sensitive data flowing through MCP tool calls.
Supply chain attacks
Attacks on the MCP server ecosystem — compromised packages, typosquatting, rug pulls, and backdoored community servers.