PolicyLayer Attack Database

PolicyLayer Attack DatabaseA verified catalogue of attacks targeting MCP (Model Context Protocol) deployments. Named CVEs, real incidents, and the policies that prevent them.https://policylayer.com/en-gbBackdoored community MCP serverhttps://policylayer.com/attacks/backdoored-community-mcp-server/https://policylayer.com/attacks/backdoored-community-mcp-server/Author-malicious MCP servers published to npm, PyPI, mcp.so, Smithery, and Glama. Kaspersky PoC, VirusTotal audit of 17,845 repos (8% flagged), AgentSeal scan of 1,808 servers (66% findings).Sun, 19 Apr 2026 00:00:00 GMTsupply-chainCompromised MCP server packagehttps://policylayer.com/attacks/compromised-mcp-package/https://policylayer.com/attacks/compromised-mcp-package/Real supply-chain compromises in the MCP ecosystem — the Shai-Hulud worm (chalk, debug), postmark-mcp BCC backdoor, and CVE-2025-6514 in mcp-remote. How they spread and how to contain them.Sun, 19 Apr 2026 00:00:00 GMTsupply-chainConfused Deputyhttps://policylayer.com/attacks/confused-deputy/https://policylayer.com/attacks/confused-deputy/The classic confused-deputy problem (Hardy, 1988) applied to MCP. In June 2025 an Asana MCP cross-tenant leak affected ~1,000 organisations. The MCP spec added RFC 8707 audience binding in response.Sun, 19 Apr 2026 00:00:00 GMTbehaviourCredential leak via error messageshttps://policylayer.com/attacks/credential-leak-via-errors/https://policylayer.com/attacks/credential-leak-via-errors/Verbose MCP error messages echo secrets — stack traces, failed command output, upstream HTTP responses — into the agent's context, logs, and transcripts. OWASP MCP01:2025 classification.Sun, 19 Apr 2026 00:00:00 GMTcredential-dataDestructive Action Autonomyhttps://policylayer.com/attacks/destructive-action-autonomy/https://policylayer.com/attacks/destructive-action-autonomy/When AI agents delete production systems on their own. Amazon's Kiro wiped an AWS region for 13 hours; Replit's agent destroyed a SaaStr database. How require_approval policies prevent it.Sun, 19 Apr 2026 00:00:00 GMTbehaviourIndirect Prompt Injectionhttps://policylayer.com/attacks/indirect-prompt-injection/https://policylayer.com/attacks/indirect-prompt-injection/The root category where attackers plant instructions in data the agent retrieves — webpages, emails, PDFs, calendar invites. Greshake et al. 2023 onward, now acknowledged by OpenAI.Sun, 19 Apr 2026 00:00:00 GMTbehaviourHidden Instructions in Tool Descriptionshttps://policylayer.com/attacks/hidden-instructions-in-tool-descriptions/https://policylayer.com/attacks/hidden-instructions-in-tool-descriptions/The most-reproduced MCP attack in the literature — attackers hide prompt-injection instructions in tool description and schema fields the user never sees. Demonstrated against Cursor by Invariant Labs.Sun, 19 Apr 2026 00:00:00 GMTprotocolData exfiltration via tool chaininghttps://policylayer.com/attacks/data-exfiltration-via-tool-chaining/https://policylayer.com/attacks/data-exfiltration-via-tool-chaining/How attackers chain MCP tool calls to move data from private sources to attacker-controlled sinks. The Supabase Cursor and GitHub MCP incidents of 2025, and the policy patterns that break the chain.Sun, 19 Apr 2026 00:00:00 GMTcredential-dataMCP rug pullhttps://policylayer.com/attacks/mcp-rug-pull/https://policylayer.com/attacks/mcp-rug-pull/Rug pulls exploit MCP's lack of re-approval when tool definitions change. Benign tools earn trust, then silently shift behaviour after approval. Invariant Labs PoC, ETDI paper, and detection patterns.Sun, 19 Apr 2026 00:00:00 GMTsupply-chainMCP STDIO Command Injectionhttps://policylayer.com/attacks/mcp-stdio-command-injection/https://policylayer.com/attacks/mcp-stdio-command-injection/Ox Security disclosed a systemic command-injection flaw in Anthropic's MCP STDIO transport on 15 April 2026, affecting 150M+ SDK downloads. Anthropic called it "expected behaviour."Sun, 19 Apr 2026 00:00:00 GMTprotocolTyposquatting MCP Servershttps://policylayer.com/attacks/mcp-typosquatting/https://policylayer.com/attacks/mcp-typosquatting/How attackers published typosquatted MCP server packages (postmark-mcp, SANDWORM_MODE) to steal emails, SSH keys, and cloud credentials from Claude, Cursor, Windsurf and VS Code users.Sun, 19 Apr 2026 00:00:00 GMTprotocolMCPwn — nginx-ui Auth Bypass (CVE-2026-33032)https://policylayer.com/attacks/mcpwn-auth-bypass/https://policylayer.com/attacks/mcpwn-auth-bypass/CVE-2026-33032 (MCPwn) — the CVSS 9.8 auth bypass that exposed 2,600+ nginx-ui MCP servers to full takeover in two HTTP requests. How it works and how to block it.Sun, 19 Apr 2026 00:00:00 GMTprotocolPrivilege escalation via admin-only toolshttps://policylayer.com/attacks/privilege-escalation-admin-tools/https://policylayer.com/attacks/privilege-escalation-admin-tools/How agents discover and invoke privileged MCP tools via over-scoped tokens — repo+admin:org PATs, Supabase service_role keys, cloud IAM roles covering read and admin alike.Sun, 19 Apr 2026 00:00:00 GMTcredential-dataPrompt Injection via Tool Resultshttps://policylayer.com/attacks/prompt-injection-via-tool-results/https://policylayer.com/attacks/prompt-injection-via-tool-results/MCP tool responses that contain instructions the agent follows. Demonstrated by Invariant Labs against GitHub MCP in May 2025 and by Rehberger against ChatGPT Operator in February 2025.Sun, 19 Apr 2026 00:00:00 GMTbehaviourRunaway Tool Loopshttps://policylayer.com/attacks/runaway-tool-loops/https://policylayer.com/attacks/runaway-tool-loops/Self-sustaining loops of tool calls that burn API quotas, tokens, and third-party billing for days before detection. Framework-level mitigations from LangChain and Claude Code.Sun, 19 Apr 2026 00:00:00 GMTbehaviourToken Mis-redemption Across MCP Servershttps://policylayer.com/attacks/token-mis-redemption/https://policylayer.com/attacks/token-mis-redemption/Why the MCP 2025-11-25 specification makes RFC 8707 resource indicators mandatory. Token mis-redemption lets a malicious MCP server replay a stolen token against a more privileged service.Sun, 19 Apr 2026 00:00:00 GMTprotocolSession hijacking in HTTP MCPhttps://policylayer.com/attacks/session-hijacking-http-mcp/https://policylayer.com/attacks/session-hijacking-http-mcp/How predictable Mcp-Session-Id headers let attackers attach to SSE streams, read tool I/O, and inject tool calls. CVEs disclosed against oatpp, Ruby, TypeScript and Java MCP SDKs.Sun, 19 Apr 2026 00:00:00 GMTcredential-dataTool Poisoning in MCP Definitionshttps://policylayer.com/attacks/tool-poisoning/https://policylayer.com/attacks/tool-poisoning/Tool poisoning embeds hidden prompt injections in MCP tool names, descriptions, and schemas. Disclosed by Invariant Labs in April 2025, reproduced against Cursor, Claude Desktop, and 45 real servers.Sun, 19 Apr 2026 00:00:00 GMTprotocol