MCP security: The current situation

MCP security: The current situation The GitHub MCP server security flaw The Anthropic Filesystem MCP server flaw Hundreds of vulnerable MCP servers in the wild Final thoughts Red Hat AI About the author Huzaifa Sidhpurwala More like this Refactoring isn’t just technical—it’s an economic hedge Red Hat AI Enterprise: Bridging the gap from experimentation to production scale Understanding AI Security Frameworks | Compiler Data Security And AI | Compiler Keep exploring Browse by channel Automation Artificial intelligence Open hybrid cloud Security Edge computing Infrastructure Applications Virtualization Share The Model Context Protocol (MCP) is an open protocol designed to standardize how large language models (LLMs) connect to external tools, APIs, and data sources. This abstraction layer is becoming more important as enterprises move beyond isolated chat interfaces toward AI systems that must integrate with ticketing platforms, code repositories, CI/CD pipelines, knowledge bases, cloud services, and more. MCP offers a shared interface for using tools and sharing data, which makes it easier to connect systems, allowing improvements in portability, and helps build scalable AI-driven automation. MCP is particularly significant in the era of agentic AI, where models do more than generate text—they plan, “reason,” and take actions across external systems. In such architectures, an AI agent may autonomously retrieve data, execute commands, and trigger workflows. This expanded capability dramatically increases the security stakes, as MCP's design allows it to act on the user's behalf. A core principle is the agent should only do what the user is permitted to do. If the server isn’t carefully designed, you risk a confused deputy scenario, where the server (deputy) with broad privileges performs an action that a particular user shouldn’t have access to. A wealth of resources exists in MCP’s Security Best Practices guide, detailing the proper implementation of both the server and client components of MCP, analyzing potential security vulnerabilities and providing corrective security guidance for the development and configuration of MCP-based products. With this information and our expertise, we are presenting ways you can use open technologies and Red Hat products to develop, configure and deploy secure MCP servers. In this article, the first in a planned series, we put MCP security into perspective by discussing recent MCP security issues that expose systems to remote code execution, data exfiltration, and even privilege escalation. The GitHub MCP vulnerability found in May 2025 demonstrates a prompt-injection-driven attack against agentic AI systems using the GitHub Model Context Protocol (MCP) integration.