defense 2026

Breaking the Protocol: Security Analysis of the Model Context Protocol Specification and Prompt Injection Vulnerabilities in Tool-Integrated LLM Agents

Narek Maloyan , Dmitry Namiot

0 citations · 25 references · arXiv
α

Published on arXiv

2601.17549

Insecure Plugin Design

OWASP LLM Top 10 — LLM07

Prompt Injection

OWASP LLM Top 10 — LLM01

Key Finding

MCP's architectural choices amplify prompt injection attack success rates by 23–41% compared to non-MCP baselines; AttestMCP reduces aggregate attack success from 52.8% to 12.4% with 8.3ms median per-message latency overhead.

AttestMCP

Novel technique introduced

The Model Context Protocol (MCP) has emerged as a de facto standard for integrating Large Language Models with external tools, yet no formal security analysis of the protocol specification exists. We present the first rigorous security analysis of MCP's architectural design, identifying three fundamental protocol-level vulnerabilities: (1) absence of capability attestation allowing servers to claim arbitrary permissions, (2) bidirectional sampling without origin authentication enabling server-side prompt injection, and (3) implicit trust propagation in multi-server configurations. We implement \textsc{MCPBench}, a novel framework bridging existing agent security benchmarks to MCP-compliant infrastructure, enabling direct measurement of protocol-specific attack surfaces. Through controlled experiments on 847 attack scenarios across five MCP server implementations, we demonstrate that MCP's architectural choices amplify attack success rates by 23--41\% compared to equivalent non-MCP integrations. We propose \textsc{MCPSec}, a backward-compatible protocol extension adding capability attestation and message authentication, reducing attack success rates from 52.8\% to 12.4\% with median latency overhead of 8.3ms per message. Our findings establish that MCP's security weaknesses are architectural rather than implementation-specific, requiring protocol-level remediation.

Key Contributions

  • First systematic security analysis of the MCP v1.0 specification identifying three protocol-level architectural vulnerabilities not addressable by implementation hardening alone
  • ProtoAmp/MCPBench: a controlled experimental framework demonstrating MCP amplifies attack success rates 23–41% over non-MCP baselines across 847 scenarios and five server implementations
  • AttestMCP: a backward-compatible MCP protocol extension adding capability attestation and message authentication, reducing attack success from 52.8% to 12.4% with only 8.3ms median latency overhead

🛡️ Threat Analysis

Details

Domains
nlp
Model Types
llm
Threat Tags
black_boxinference_time
Datasets
847 attack scenarios across five MCP server implementations
Applications
llm agentstool-integrated ai systemsmcp-compliant infrastructure
Read PDF arXiv DOI

Similar Papers

defense

Introducing the Generative Application Firewall (GAF)

2026 0 cit.
100%
defense

ToolSafe: Enhancing Tool Invocation Safety of LLM-based agents via Proactive Step-level Guardrail and Feedback

2026 2 cit.
100%
defense

Securing the Model Context Protocol: Defending LLMs Against Tool Poisoning and Adversarial Attacks

2025 5 cit.
100%
defense

VIGIL: Defending LLM Agents Against Tool Stream Injection via Verify-Before-Commit

2026 1 cit.
100%
defense

AgentSentry: Mitigating Indirect Prompt Injection in LLM Agents via Temporal Causal Diagnostics and Context Purification

2026 0 cit.
100%
defense

Quantifying Conversation Drift in MCP via Latent Polytope

2025 0 cit.
92%
defense

Defense Against Indirect Prompt Injection via Tool Result Parsing

2026 3 cit.
92%
defense

MCP-Guard: A Multi-Stage Defense-in-Depth Framework for Securing Model Context Protocol in Agentic AI

2025 0 cit.
92%