The security pitfalls of MCP agent orchestration, and its mitigations

Insights

• MCP server architecture provides an intelligent tooling layer between AI agents and existing systems, a hub that decouples agents from integrations, enabling multiple agents to reuse the same MCP servers without reimplementing logic.
• However, because MCP enables AI assistants to access enterprise systems and external services, the protocol presents cybersecurity challenges.
• With few hardened reference implementations, no widely adopted security profile, and inconsistent operational practices, security vulnerabilities have already been exploited.
• Enterprises can take several steps to mitigate these threats, and should use a different security approach depending on the type of MCP server.
• An enterprise custom platform can provide a multilayer security architecture with the capabilities to adopt MCP securely.

MCP is an open standard that enables AI assistants to access external data sources and systems through a single, consistent interface. By acting as an intermediary, it eliminates the requirement for AI agents to connect individually to every tool or data source, simplifying integration across diverse models, databases, and content repositories.

For example, upstream energy operations still rely on fragmented commercial-off-the-shelf (COTS) software and proprietary systems for drilling, production, and reservoir management. These constraints limit energy companies’ ability to fully realize the benefits of agentic AI. In such a situation, MCP server architecture provides an intelligent tooling layer between AI agents and existing systems.

Block, a payments-focused financial technology company, deployed MCP across the entire organization, with 40% of its employees using its MCP-powered AI agent, Goose, by early 2025. The agent supports functions including software engineering, design, security, compliance, customer support, and sales. Software engineering is the most successful use case, increasing cross-team collaboration with MCP integration for code repositories, testing tools, and security scans.

Without MCP, the traditional approach of connecting large language models (LLMs) to content repositories, tools, and databases is complex, with many AI models connected to many tools. This leads to a huge number of connections. MCP significantly reduces this integration burden by allowing any AI application to communicate with any compliant data source or service through a shared interface. In effect, MCP acts as a hub layer that decouples agents from integrations, enabling multiple agents to reuse the same MCP servers without reimplementing logic (Figure 1).

Figure 1. MCP acts as a hub, simplifying connectivity

Source: Infosys

However, there’s a problem looming for large organizations using the MCP standard.

Because MCP enables AI assistants to access enterprise systems and external services, the protocol presents cybersecurity challenges. These include remote code execution, credential theft, and data exfiltration, with no dedicated MCP security solutions at present, according to Infosys analysis. Meanwhile, research from the cybersecurity vendor Trend Micro in July 2025 found 492 exposed MCP servers, with no authentication or encryption in place.

The threats to MCP

In the absence of a dedicated cyber defense system, MCP servers are vulnerable to a range of potential attacks.

1. Cross-prompt injection (XPIA): This is when malicious content embedded in user interface elements or documents can override agent instructions, leading to unintended actions like data exfiltration, malware installation, or what are known as confused deputy attacks, where an AI model is fooled into misusing its legitimate permissions on behalf of an untrusted or less-privileged actor. Unlike traditional prompt injection, XPIA can occur without direct user input.
2. Tool poisoning: This is when attackers hide malicious executable instructions in tool metadata, or descriptions that appear benign but lead to incorrect actions, data exposure, or unsafe behavior. This is a design vulnerability rather than an implementation flaw.
3. Authentication gaps: MCP's authentication standards are relatively new and inconsistently adopted. OAuth, a popular standard used for determining who is allowed to do what and for mitigating the misuse of legitimate permissions by validating tokens before access, is currently optional. Implementations treat authentication as recommendations rather than mandatory controls, mainly because Anthropic wanted to reduce unnecessary friction and increase experimentation, placing the onus on each integration team to look after authentication vulnerabilities.
4. Supply chain and registry risk: Without vetting mechanisms, public registries of MCP servers become vectors for malware distribution. This creates a vulnerability where trusted tools can be updated with malicious code by third parties, posing risks to all users.
5. Session ID exposure: MCP implementations often expose session IDs in URLs (for example, GET/messages?sessionId=123), creating security risks such as session hijacking. Anyone who obtains the URL can impersonate the user until the session expires, since the server treats any request with that session ID as authenticated, with no password needed.
6. Lack of message signing: The protocol provides no mechanism to verify message integrity, allowing for person-in-the-middle attacks, where two parties are unaware that a third party is eavesdropping, modifying data, or injecting malicious content and message tampering without detection.
7. Command injection patterns: Security research has identified widespread command injection vulnerabilities in MCP server implementations, with over 40% of public MCP servers susceptible to such flaws. This represents a systemic failure to implement basic input validation across the MCP ecosystem. Command injection attacks are when an attacker adds malicious descriptions so that, when the AI system reads them, it obeys hidden commands without the organization realizing it.
8. Token storage vulnerabilities: MCP servers frequently store OAuth tokens in plaintext configuration files or memory, creating single points of failure. If tokens are compromised, an attacker can gain persistent access to all connected services without the user’s awareness.

The scale of these vulnerabilities is worrying, and the risk to organizations is severe, leaving many to ask why MCP servers are in such a poor state? The reason is that the protocol was built for flexibility and interoperability, and the standard didn’t mandate strong security controls as part of its core framework when introduced by Anthropic in 2024. While this worked well for development and testing, it created a large attack surface in production environments.

Also, there was fast community adoption before best practices could surface, and many implementations lacked strong controls, with security left to those teams that actually implemented code, creating inconsistent protections across different servers. Coupled with MCP’s open ecosystem of third-party open-source servers and the fact that security standards for AI integration are still emerging, it is clear that MCP server security remains immature. Rapid adoption, weak defaults, and inconsistent implementations have made the technology unnecessarily vulnerable in 2026.

Command injection vulnerabilities, along with database exposure and lack of read-only permissions, led to the Supabase “Lethal Trifecta” attack, where attackers proved that complete SQL database exposure was possible through public support channels. In the attack scenario, the Cursor AI agent was used with service role access to process malicious user tickets, circumnavigating the normal enterprise security posture and writing proprietary information to the user ticket without organizational awareness.

In another example, known as the Asana MCP cross-tenant data leak, customer data was shown to bleed between tenant instances, exposing project data between organizations. The company disabled MCP once the vulnerability was detected in June 2025, and the service was down for more than two weeks while engineers fixed the vulnerability.

GitHub was also the subject of another attack. Discovered by Invariant, a security company, in 2025, the GitHub MCP server was shown to allow attackers to access private repository data through what is now known as a toxic agent flow. In this scenario, the agent is manipulated into performing unintended actions when it begins to read instructions on a public repository, which contains a prompt injection just waiting for the agent to execute the command.

Any one of these eight attack vectors, used either in isolation or in combination, as in the three examples above, can lead to significant reputational risk and actual damage to the organization, according to the Infosys report on responsible enterprise AI in the agentic era.

How to create a new MCP defense posture

As shown in Figure 2, enterprises can take several steps to mitigate these threats.

Figure 2. Security best practices for MCP servers

Source: Infosys

The importance of MCP server type

The MCP server landscape is diverse. Vendor organizations like Microsoft and GitHub that expose specific functions to AI applications through MCP have a different security posture and attack surface than open-source MCP servers, which are again different to an enterprise’s internal and developer-created servers. To help, organizations should use a different security approach depending on the type of MCP server.

• Vendor-provided servers: With no access to code and only URL-level visibility, the primary risks of MCP here are an inability to verify internal logic or security practices; potential hidden vulnerabilities or undocumented features; dependence on vendor updates and patches for security fixes; and limited visibility into compliance with enterprise security standards. Organizations using these servers should use proxy monitoring, a sort of security checkpoint between an AI agent and enterprise systems that ensures the agent acts only under necessary supervision. This proxy also tracks network interactions and conducts behavioral analysis to detect anomalies in runtime behavior.
• Open-source servers: Full repository access, along with code visibility and control are the main features of this server type. The primary risks in open-source MCP are the presence of unpatched vulnerabilities or insecure coding practices; dependency on third-party libraries that could have known exploits; risk of malicious code injection through community contributions; and lack of guaranteed adherence to enterprise security policies. The best security approaches for open-source include automated security scanning for known vulnerabilities and human review for logic flaws and compliance.
• Enterprise internal servers: When enterprises have complete control over their source code, the main threats from internal servers are the inconsistent application of secure coding practices, gaps in code review or testing processes, vulnerabilities introduced during rapid development cycles, insider threats, and accidental misconfigurations. Organizations should prioritize secure development practices and integrate security checks into continuous integration and continuous deployment pipelines.
• Developer-created servers: The main risks for these MCP servers are a lack of formal security review or approval process, and the use of outdated or insecure frameworks. Also troubling is the use of poor documentation, an absence of compliance checks, and greater chance of flaws due to lack of expertise or rushed work. To mitigate these risks, we advise a comprehensive risk assessment to evaluate potential threats, and approval of workflows before deployment.

The platform approach

Scaling AI effectively means building a poly-AI architecture grounded in strong governance, as set out in this Infosys paper — The key to achieving production-grade agentic AI.

“This platform-based approach enables access-controlled, performance-optimized, and regulatory-compliant guardrails that work across multiple cloud vendors and generative AI models, while providing a centralized repository for agent selection and orchestration,” write the authors.

In this setup, responsible AI (RAI) guardrails are provided through a gateway that controls the flow of requests to various LLMs and agents and manages authentication and authorization.

These security guardrails include security scanning, security scoring, and MCP registry, audit logging and alerting, and real-time monitoring and observability (Figure 3). This enterprise custom platform then provides a multilayer security architecture with the capabilities to adopt MCP securely.

The centralized MCP registry is particularly important. An enterprise can maintain a centralized MCP registry, allowing access to MCP servers that are reviewed by a central body such as an AI center of excellence, RAI office, or information security group, which verify that the server is safe to use. Users, internal or external, can submit requests for MCP servers or create custom MCP servers and submit the request for review and approval, after which the MCP server gets added to the central MCP registry.

Figure 3. A platform approach to MCP security

Source: Infosys

The next step

Agentic AI is potentially transformative in a range of applications such as unified operational control in upstream oil and gas companies, as discussed above; software engineering; coordinated patient care in healthcare; inventory discrepancy in consumer, retail, and logistics organizations; discretionary risk management at global banks; aircraft and shop-floor maintenance in manufacturing; and business sales process in telecom companies, among other use cases we are working on with clients.

In these industries, networks of specialized AI agents work together within complex business processes. With MCP a key means of connecting agents with COTS systems, it is vital that these systems are secure.