PolicyLayer MCP Incidents

Database MCP Backend Vulnerabilities: Apache Doris SQLi, Pinot Auth Bypass, Alibaba RDS Metadata Exposure (CVE-2025-66335)

Wed, 13 May 2026 00:00:00 GMT

Three popular database MCP servers shipped with the same class of failure: no validation between the MCP endpoint and the back end. Akamai researcher Tomer Peled found SQL injection in Apache Doris MCP (CVE-2025-66335), an authentication bypass enabling full database takeover in Apache Pinot MCP, and unauthenticated metadata exposure in Alibaba's RDS MCP RAG tool. Apache patched Doris. StarTree added an optional OAuth layer to Pinot. Alibaba told Akamai the issue was not applicable for a fix.

n8n-MCP Path Traversal, Redirect SSRF, and Telemetry Token Leakage (GHSA-8g7g-hmwm-6rv2)

Mon, 11 May 2026 00:00:00 GMT

Three independently-reported vulnerabilities in n8n-MCP before version 2.50.1 gave authenticated callers more access than they were supposed to have. A crafted workflow ID with directory traversal sequences routes outbound requests bearing the n8n API key to arbitrary same-origin endpoints, bypassing DISABLED_TOOLS restrictions entirely. Validated webhook URLs that follow HTTP redirects silently hand responses from internal networks back to the caller. And telemetry uploads containing unredacted workflow diffs carry bearer tokens, API keys, and webhook secrets out of the deployment. All three are fixed in 2.50.1.

FastGPT Stored MCP Tool URL SSRF (CVE-2026-44284)

Fri, 08 May 2026 00:00:00 GMT

FastGPT's MCP tool URL validation ran at request time but not at persistence time, creating a two-phase bypass. An authenticated user with tool-management permissions could store an internal network URL as a configured MCP server endpoint. The runtime workflow executor later loaded that stored URL and connected to the internal destination without re-checking. The check existed; it just ran in the wrong place.

MCP Registry OIDC Token Replay Across Deployments (CVE-2026-44428)

Fri, 08 May 2026 00:00:00 GMT

The official Model Context Protocol registry used a shared OIDC audience across all registry deployments. Any attacker-controlled or compromised registry instance could take a GitHub OIDC token minted for itself and replay it against a different registry deployment, inheriting that deployment's publish permissions. The flaw sits at the top of the MCP supply chain, in the infrastructure that distributes MCP servers to clients at scale.

Cursor Sandbox Escape via Git Hooks (CVE-2026-26268)

Tue, 28 Apr 2026 00:00:00 GMT

Cursor's AI agent can be told to write files. Nothing in versions before 2.5 prevented it from writing to .git/hooks/. An attacker who can inject a prompt into the agent's context, via a malicious repository, a crafted issue body, or a poisoned tool response, can plant a hook script that Git will execute automatically on the next commit, push, or checkout. The sandbox breaks the moment the developer runs a routine Git operation. No second prompt required.

Gemini CLI RCE via Workspace Trust and Tool Allowlist Bypass (GHSA-wpqr-6v78-jr5g)

Fri, 24 Apr 2026 00:00:00 GMT

Gemini CLI running in CI/CD headless mode automatically trusted workspace folders and executed configuration from them without verification. A second bypass in Yolo execution mode ignored fine-grained tool allowlists entirely. The combination let an attacker plant a malicious .gemini/settings.json in any repository processed by the agent to achieve arbitrary command execution on the build host. Researchers Elad Meged (Novee Security) and Dan Lisichkin (Pillar Security) discovered both bypasses. GitHub rated the advisory CVSS 10.0. Google patched both the CLI and the associated GitHub Action on April 24, 2026.

Anthropic MCP STDIO RCE (OX Security disclosure)

Wed, 15 Apr 2026 00:00:00 GMT

OX Security found that Anthropic's official MCP SDKs hand configuration values directly to OS command execution over the STDIO transport. Any path that lets an attacker influence MCP server configuration (a malicious package, a tampered config file, untrusted user input) becomes arbitrary command execution. Ten CVEs landed across downstream projects including LiteLLM, LangChain, LangFlow, Flowise, LettaAI, LangBot, MCP Inspector, and Cursor. The supply chain footprint: 7,000+ publicly accessible servers, 150M+ package downloads, up to 200,000 vulnerable instances. Anthropic's response: this is by design. Sanitisation is the developer's job.

Windsurf Zero-Click Prompt Injection to RCE (CVE-2026-30615)

Wed, 15 Apr 2026 00:00:00 GMT

Open a file, get owned. Windsurf 1.9544.26 was the only AI IDE in the OX Security disclosure chain where exploitation required zero user interaction. Attacker-controlled HTML content, when rendered by the IDE, injected instructions that silently modified the local MCP JSON configuration and registered a malicious STDIO server. The MCP SDK did the rest: it launched the server binary and handed the attacker a command execution primitive. No click, no approval prompt, no warning in the developer toolchain.

Flowise and Upsonic MCP Hardening Bypass (CVE-2026-30625 / GHSA-c9gw-hvqq-f33r)

Wed, 15 Apr 2026 00:00:00 GMT

Both Flowise and Upsonic knew MCP STDIO was dangerous and built defences: command allowlists that restricted execution to trusted binaries like npm, npx, and python. OX Security bypassed both in under a minute by passing npx -c <command>. The binary is on the allowlist; the argument that turns it into an arbitrary shell executor is not. The finding is a case study in why surface-level allowlists fail against the MCP STDIO execution model, and why the fix required filtering not just command names but every flag that enables inline execution.

Splunk MCP Server Clear-Text Token Exposure (CVE-2026-20205)

Wed, 15 Apr 2026 00:00:00 GMT

The Splunk MCP Server app wrote session and authorisation tokens to the Splunk _internal index in clear text. Any user with the mcp_tool_admin capability or access to that index could read active credentials for other sessions and replay them. Splunk published the advisory alongside a patch to version 1.0.3 on April 15, 2026. Exploitation requires high privileges by default, but in Splunk environments where _internal access is granted broadly or admin accounts are compromised, it becomes a direct credential harvesting path for any session using the MCP server.

Azure MCP Server Missing Authentication and Information Disclosure (CVE-2026-32211)

Fri, 03 Apr 2026 00:00:00 GMT

Microsoft's Azure MCP Server shipped a critical function without an authentication check, giving any network-accessible attacker direct access to sensitive data. The flaw, scored CVSS 9.1, requires no privileges and no user interaction. Microsoft classified it as an exclusively-hosted service issue, remediated server-side on April 3, 2026, with no customer action required. The disclosure is terse by Microsoft's standard, but the scoring vector (C:H/I:H) signals the exposed data likely includes configuration material, tokens, or project data, not just operational metadata.

Azure MCP Server RCE and Cloud Takeover (CVE-2026-26118 / MCPwned)

Wed, 25 Mar 2026 00:00:00 GMT

The official Azure MCP Server shipped the SSE transport without authentication and exposed azmcp-extension-az, a tool that passes user-controlled arguments directly to the Azure CLI process. Researcher Ariel Simon of Token Security demonstrated that an attacker on the network could invoke the tool with crafted arguments to write arbitrary files on the server host, then extract the Entra ID credentials held in the server's environment, compromising the entire Azure tenant. Microsoft patched the issue by removing the SSE transport, removing the vulnerable tool, and shipping a new transport with mandatory authentication. The finding was presented at RSAC 2026 and simultaneously tracked as CVE-2026-26118 (CVSS 8.8) in Microsoft's March 2026 Patch Tuesday.

MCPwn (CVE-2026-33032)

Sun, 15 Mar 2026 00:00:00 GMT

Two HTTP requests, full nginx server takeover. nginx-ui shipped its MCP server with AuthRequired() middleware on /mcp but not on its sibling /mcp_message. Anyone on the network could grab a session ID from the protected endpoint, replay it against the unprotected one, and invoke any of twelve destructive tools. One of them, nginx_config_add, accepts arbitrary configuration with auto-reload. Roughly 2,600 instances were exposed on the default port at disclosure; Recorded Future listed it among 31 vulnerabilities under active exploitation in March 2026.

MCP TypeScript SDK Cross-Client Data Leak (CVE-2026-25536)

Wed, 04 Feb 2026 00:00:00 GMT

When a single McpServer instance with a StreamableHTTPServerTransport is reused across multiple client connections, response data leaks across client boundaries. One client receives tool output intended for another. This is the canonical multi-tenant MCP deployment mistake: the SDK permits instance reuse but the transport state is not isolated per client. The flaw affects versions 1.10.0 through 1.25.3 of the official TypeScript SDK, a window spanning roughly fifteen months of production deployments. Six public PoC exploits are catalogued on GitHub. The fix in 1.26.0 adds runtime guards that convert silent misrouting into an immediate error.

GitHub MCP Prompt Injection: Cross-Repo Data Heist

Mon, 26 May 2025 00:00:00 GMT

A planted issue in a public repo can convince a developer's AI agent to copy private repo contents into that public repo. The official GitHub MCP server hands the agent the user's full GitHub credentials, so private and public scope live in the same context. The agent reads issue bodies as if they were user instructions. Anyone who can open an issue can plant instructions. The attack is the classic confused deputy, executed through tools the user trusted.