survey 2025

Securing the Model Context Protocol (MCP): Risks, Controls, and Governance

Herman Errico 1, Jiquan Ngiam 2, Shanita Sojan 3

1 Vanta

2 MintMCP

3 Darktrace

10 citations · 34 references · arXiv
α

Published on arXiv

2511.20920

Prompt Injection

OWASP LLM Top 10 — LLM01

Insecure Plugin Design

OWASP LLM Top 10 — LLM07

Excessive Agency

OWASP LLM Top 10 — LLM08

Key Finding

Identifies tool poisoning, indirect prompt injection, and excessive agency as the primary unsolved MCP security threats and proposes a governance framework to address them.

The Model Context Protocol (MCP) replaces static, developer-controlled API integrations with more dynamic, user-driven agent systems, which also introduces new security risks. As MCP adoption grows across community servers and major platforms, organizations encounter threats that existing AI governance frameworks (such as NIST AI RMF and ISO/IEC 42001) do not yet cover in detail. We focus on three types of adversaries that take advantage of MCP s flexibility: content-injection attackers that embed malicious instructions into otherwise legitimate data; supply-chain attackers who distribute compromised servers; and agents who become unintentional adversaries by over-stepping their role. Based on early incidents and proof-of-concept attacks, we describe how MCP can increase the attack surface through data-driven exfiltration, tool poisoning, and cross-system privilege escalation. In response, we propose a set of practical controls, including per-user authentication with scoped authorization, provenance tracking across agent workflows, containerized sandboxing with input/output checks, inline policy enforcement with DLP and anomaly detection, and centralized governance using private registries or gateway layers. The aim is to help organizations ensure that unvetted code does not run outside a sandbox, tools are not used beyond their intended scope, data exfiltration attempts are detectable, and actions can be audited end-to-end. We close by outlining open research questions around verifiable registries, formal methods for these dynamic systems, and privacy-preserving agent operations.

Key Contributions

  • Taxonomy of three MCP adversary types: content-injection attackers, supply-chain attackers, and over-scoped agents
  • Description of MCP-specific attack vectors including tool poisoning, data-driven exfiltration, and cross-system privilege escalation
  • Practical control framework including scoped authentication, provenance tracking, containerized sandboxing, DLP enforcement, and centralized governance via private registries

🛡️ Threat Analysis

Details

Domains
nlp
Model Types
llm
Threat Tags
inference_timeblack_boxdigital
Applications
llm agent systemsmcp-based tool integrationsai assistants
Read PDF arXiv DOI

Similar Papers

survey

From Secure Agentic AI to Secure Agentic Web: Challenges, Threats, and Future Directions

2026 0 cit.
94%
survey

Systems Security Foundations for Agentic Computing

2025 3 cit.
94%
survey

Agentic AI as a Cybersecurity Attack Surface: Threats, Exploits, and Defenses in Runtime Supply Chains

2026 0 cit.
94%
survey

From Thinker to Society: Security in Hierarchical Autonomy Evolution of AI Agents

2026 0 cit.
88%
survey

Human Society-Inspired Approaches to Agentic AI Security: The 4C Framework

2026 0 cit.
88%
survey

Taming OpenClaw: Security Analysis and Mitigation of Autonomous LLM Agent Threats

2026 0 cit.
88%
survey

SoK: Trust-Authorization Mismatch in LLM Agent Interactions

2025 2 cit.
88%
survey

A Survey on Agentic Security: Applications, Threats and Defenses

2025 8 cit.
88%