MCP Incidents
A live database of security incidents affecting Model Context Protocol servers, clients, SDKs and transports. Each entry names the policy controls that would have prevented or contained it.
Cursor Sandbox Escape via Git Hooks (CVE-2026-26268)
Cursor's AI agent can be told to write files. Nothing in versions before 2.5 prevented it from writing to <code>.git/hooks/</code>. An attacker who can inject a prompt into the agent's context, via a malicious repository...
Anthropic MCP STDIO RCE (OX Security disclosure)
OX Security found that Anthropic's official MCP SDKs hand configuration values directly to OS command execution over the STDIO transport. Any path that lets an attacker influence MCP server configuration (a malicious pac...
Windsurf Zero-Click Prompt Injection to RCE (CVE-2026-30615)
Open a file, get owned. Windsurf 1.9544.26 was the only AI IDE in the OX Security disclosure chain where exploitation required zero user interaction. Attacker-controlled HTML content, when rendered by the IDE, injected i...
Flowise and Upsonic MCP Hardening Bypass (CVE-2026-30625 / GHSA-c9gw-hvqq-f33r)
Both Flowise and Upsonic knew MCP STDIO was dangerous and built defences: command allowlists that restricted execution to trusted binaries like <code>npm</code>, <code>npx</code>, and <code>python</code>. OX Security byp...
MCPwn (CVE-2026-33032)
Two HTTP requests, full nginx server takeover. nginx-ui shipped its MCP server with AuthRequired() middleware on /mcp but not on its sibling /mcp_message. Anyone on the network could grab a session ID from the protected ...
GitHub MCP Prompt Injection: Cross-Repo Data Heist
A planted issue in a public repo can convince a developer's AI agent to copy private repo contents into that public repo. The official GitHub MCP server hands the agent the user's full GitHub credentials, so private and ...