MCP Incidents
A live database of security incidents affecting Model Context Protocol servers, clients, SDKs and transports. Each entry names the policy controls that would have prevented or contained it.
Database MCP Backend Vulnerabilities: Apache Doris SQLi, Pinot Auth Bypass, Alibaba RDS Metadata Exposure (CVE-2025-66335)
Three popular database MCP servers shipped with the same class of failure: no validation between the MCP endpoint and the back end. Akamai researcher Tomer Peled found SQL injection in Apache Doris MCP (CVE-2025-66335), ...
n8n-MCP Path Traversal, Redirect SSRF, and Telemetry Token Leakage (GHSA-8g7g-hmwm-6rv2)
Three independently-reported vulnerabilities in n8n-MCP before version 2.50.1 gave authenticated callers more access than they were supposed to have. A crafted workflow ID with directory traversal sequences routes outbou...
FastGPT Stored MCP Tool URL SSRF (CVE-2026-44284)
FastGPT's MCP tool URL validation ran at request time but not at persistence time, creating a two-phase bypass. An authenticated user with tool-management permissions could store an internal network URL as a configured M...
MCP Registry OIDC Token Replay Across Deployments (CVE-2026-44428)
The official Model Context Protocol registry used a shared OIDC audience across all registry deployments. Any attacker-controlled or compromised registry instance could take a GitHub OIDC token minted for itself and repl...
Cursor Sandbox Escape via Git Hooks (CVE-2026-26268)
Cursor's AI agent can be told to write files. Nothing in versions before 2.5 prevented it from writing to <code>.git/hooks/</code>. An attacker who can inject a prompt into the agent's context, via a malicious repository...
Gemini CLI RCE via Workspace Trust and Tool Allowlist Bypass (GHSA-wpqr-6v78-jr5g)
Gemini CLI running in CI/CD headless mode automatically trusted workspace folders and executed configuration from them without verification. A second bypass in Yolo execution mode ignored fine-grained tool allowlists ent...
Anthropic MCP STDIO RCE (OX Security disclosure)
OX Security found that Anthropic's official MCP SDKs hand configuration values directly to OS command execution over the STDIO transport. Any path that lets an attacker influence MCP server configuration (a malicious pac...
Windsurf Zero-Click Prompt Injection to RCE (CVE-2026-30615)
Open a file, get owned. Windsurf 1.9544.26 was the only AI IDE in the OX Security disclosure chain where exploitation required zero user interaction. Attacker-controlled HTML content, when rendered by the IDE, injected i...
Flowise and Upsonic MCP Hardening Bypass (CVE-2026-30625 / GHSA-c9gw-hvqq-f33r)
Both Flowise and Upsonic knew MCP STDIO was dangerous and built defences: command allowlists that restricted execution to trusted binaries like <code>npm</code>, <code>npx</code>, and <code>python</code>. OX Security byp...
Splunk MCP Server Clear-Text Token Exposure (CVE-2026-20205)
The Splunk MCP Server app wrote session and authorisation tokens to the Splunk _internal index in clear text. Any user with the mcp_tool_admin capability or access to that index could read active credentials for other se...
Azure MCP Server Missing Authentication and Information Disclosure (CVE-2026-32211)
Microsoft's Azure MCP Server shipped a critical function without an authentication check, giving any network-accessible attacker direct access to sensitive data. The flaw, scored CVSS 9.1, requires no privileges and no u...
Azure MCP Server RCE and Cloud Takeover (CVE-2026-26118 / MCPwned)
The official Azure MCP Server shipped the SSE transport without authentication and exposed azmcp-extension-az, a tool that passes user-controlled arguments directly to the Azure CLI process. Researcher Ariel Simon of Tok...
MCPwn (CVE-2026-33032)
Two HTTP requests, full nginx server takeover. nginx-ui shipped its MCP server with AuthRequired() middleware on /mcp but not on its sibling /mcp_message. Anyone on the network could grab a session ID from the protected ...
MCP TypeScript SDK Cross-Client Data Leak (CVE-2026-25536)
When a single McpServer instance with a StreamableHTTPServerTransport is reused across multiple client connections, response data leaks across client boundaries. One client receives tool output intended for another. This...
GitHub MCP Prompt Injection: Cross-Repo Data Heist
A planted issue in a public repo can convince a developer's AI agent to copy private repo contents into that public repo. The official GitHub MCP server hands the agent the user's full GitHub credentials, so private and ...