Vulnerability Taxonomy | The Vulnerable MCP Project

Vulnerability Categories

Each vulnerability is classified into one primary category based on its root cause. Click a category heading to filter the main database.

Prompt Injection / Instruction Boundary Failures

13 vulns

Attacks that exploit the inability to distinguish between instructions and data, allowing malicious input to manipulate LLM behavior.

MCP Sampling Exploitation: Three Attack Classes Amp AI Agent API Key Exfiltration via Prompt Injection Zero-Click RCE via Google Docs MCP Integration Cursor + Jira MCP 0-Click Credential Exfiltration Universal Output Poisoning: No MCP Output Is Safe Heroku MCP Exploit: Malicious App Ownership Transfer GitHub MCP Exploit: Private Repository Data Exfiltration Tool Function Parameter Abuse ANSI Terminal Code Deception in MCP Conversation History Theft via MCP Line Jumping Attack WhatsApp Message Exfiltration via MCP Tool Poisoning Attacks

Input Validation / Sanitization Failures

17 vulns

Failures to properly validate, sanitize, or filter inputs that flow through MCP tool interfaces.

Anthropic Git MCP Server RCE Chain (CVE-2025-68145 / 68143 / 68144) GitHub Kanban MCP Server RCE (CVE-2026-0756) Microsoft MarkItDown MCP Server SSRF Zen MCP Server Path Traversal (CVE-2025-66689) filesystem-mcp Path Traversal (CVE-2025-67366) gemini-mcp-tool Command Injection (CVE-2026-0755) Fetch MCP Server SSRF (CVE-2025-65513) Cursor Case-Sensitivity File Protection Bypass (CVE-2025-59944) Framelink Figma MCP Server RCE (CVE-2025-53967) Microsoft Learn MCP Server SSRF (TRA-2025-36) Rogue MCP Server Browser Injection in Cursor mcp-remote OS Command Injection (CVE-2025-6514) Kubernetes MCP Server Command Injection (CVE-2025-53355) Docker Sandbox Escape in node-code-sandbox-mcp (CVE-2025-53372) Command Injection in create-mcp-server-stdio (CVE-2025-54994) MCP Inspector Remote Code Execution (CVE-2025-49596) Tool Poisoning to Remote Code Execution (Rug Pull Method)

Authentication / Authorization Failures

5 vulns

Weaknesses in authenticating MCP servers, authorizing tool access, or managing user consent.

MCPJam Inspector RCE (CVE-2026-23744) Kluster Verify MCP Server Credit Exhaustion thirdweb MCP Server Unauthorized Crypto Transactions Grafana MCP Server Unauthenticated SSE Access Consent Fatigue Attacks

Session Management Design Flaws

2 vulns

Protocol-level and implementation weaknesses in how MCP sessions are created, maintained, and terminated.

MCP TypeScript SDK Cross-Client Data Leak (CVE-2026-25536) Session IDs Exposed in URLs

Integrity / Verification Control Failures

4 vulns

Absence of mechanisms to detect or prevent unauthorized modification of tool definitions, descriptions, or behavior.

Cursor MCP Definition Bypass / MCPoison (CVE-2025-54136) Rug Pulls: Silent Tool Redefinition Cross-Server Tool Shadowing Tool Name Collisions

Trust Model Design Flaws

4 vulns

Fundamental architectural assumptions about trust that create systemic vulnerabilities in the MCP ecosystem.

MCP Registry Hijacking (Supply Chain) Kilo Code AI Agent Supply Chain Attack Malicious Local MCP Servers MCP Safety Audit: Systematic Exploit Analysis

Credential Management Failures

1 vuln

Insecure handling, storage, or transmission of API keys, tokens, and other credentials used by MCP servers.

Insecure Credential Storage in MCP Ecosystem

Network Security / Transport Failures

4 vulns

Vulnerabilities in network-level protections including DNS rebinding, SSRF, default binding to all interfaces, and transport-layer security failures in MCP deployments.

Vet MCP Server DNS Rebinding (CVE-2025-59163) Coder Agent API Chat History Exposure via DNS Rebinding Neo4j MCP Cypher Server DNS Rebinding / Database Takeover DNS Rebinding in Official MCP SDKs (CVE-2025-66414 / CVE-2025-66416)

Severity Rating Scale

Severity is assessed based on exploitability, impact scope, and real-world risk.

Critical Actively exploited or trivially exploitable with severe impact 13 High Significant risk requiring prompt attention 30 Medium Moderate risk with limited scope or requiring specific conditions 6 Low Minor risk with minimal impact 0 Info Informational finding with no direct risk 1

Exploitability Levels

How difficult it is for an attacker to exploit the vulnerability in practice.

Trivial No special skills or tools needed; publicly documented steps 4

Easy Basic technical knowledge required; proof-of-concept exists 18

Moderate Requires understanding of MCP internals or specific conditions 27

Difficult Requires advanced skills, chaining multiple vulnerabilities, or rare conditions 0

Theoretical No known public exploit; risk is based on design analysis 1

Cisco AI Security Framework Mapping

Vulnerabilities mapped to attacker objectives from the Cisco AI Security Framework.

Goal Hijacking

Manipulating AI agent goals to serve attacker objectives instead of user intent

MCP Sampling Exploitation: Three Attack Classes Amp AI Agent API Key Exfiltration via Prompt Injection Kilo Code AI Agent Supply Chain Attack Zero-Click RCE via Google Docs MCP Integration Cursor + Jira MCP 0-Click Credential Exfiltration Universal Output Poisoning: No MCP Output Is Safe GitHub MCP Exploit: Private Repository Data Exfiltration Tool Function Parameter Abuse ANSI Terminal Code Deception in MCP Conversation History Theft via MCP Line Jumping Attack Rug Pulls: Silent Tool Redefinition Cross-Server Tool Shadowing WhatsApp Message Exfiltration via MCP Tool Poisoning Attacks Consent Fatigue Attacks Tool Name Collisions

Data Privacy Violation

Unauthorized access, collection, or exfiltration of sensitive user data

MCP TypeScript SDK Cross-Client Data Leak (CVE-2026-25536) Microsoft MarkItDown MCP Server SSRF Zen MCP Server Path Traversal (CVE-2025-66689) filesystem-mcp Path Traversal (CVE-2025-67366) Fetch MCP Server SSRF (CVE-2025-65513) MCP Sampling Exploitation: Three Attack Classes MCP Registry Hijacking (Supply Chain) Amp AI Agent API Key Exfiltration via Prompt Injection Microsoft Learn MCP Server SSRF (TRA-2025-36) Coder Agent API Chat History Exposure via DNS Rebinding Neo4j MCP Cypher Server DNS Rebinding / Database Takeover Zero-Click RCE via Google Docs MCP Integration thirdweb MCP Server Unauthorized Crypto Transactions Cursor + Jira MCP 0-Click Credential Exfiltration GitHub MCP Exploit: Private Repository Data Exfiltration Tool Function Parameter Abuse Insecure Credential Storage in MCP Ecosystem Conversation History Theft via MCP Tool Poisoning to Remote Code Execution (Rug Pull Method) WhatsApp Message Exfiltration via MCP Tool Poisoning Attacks

Privilege Escalation

Gaining unauthorized elevated access to systems, resources, or capabilities

MCPJam Inspector RCE (CVE-2026-23744) Anthropic Git MCP Server RCE Chain (CVE-2025-68145 / 68143 / 68144) GitHub Kanban MCP Server RCE (CVE-2026-0756) gemini-mcp-tool Command Injection (CVE-2026-0755) Cursor Case-Sensitivity File Protection Bypass (CVE-2025-59944) Framelink Figma MCP Server RCE (CVE-2025-53967) Zero-Click RCE via Google Docs MCP Integration Cursor MCP Definition Bypass / MCPoison (CVE-2025-54136) Rogue MCP Server Browser Injection in Cursor mcp-remote OS Command Injection (CVE-2025-6514) Kubernetes MCP Server Command Injection (CVE-2025-53355) Docker Sandbox Escape in node-code-sandbox-mcp (CVE-2025-53372) Command Injection in create-mcp-server-stdio (CVE-2025-54994) MCP Inspector Remote Code Execution (CVE-2025-49596) Line Jumping Attack Tool Poisoning to Remote Code Execution (Rug Pull Method) Malicious Local MCP Servers MCP Safety Audit: Systematic Exploit Analysis

Integrity Compromise

Unauthorized modification of tool definitions, data, or system behavior

Anthropic Git MCP Server RCE Chain (CVE-2025-68145 / 68143 / 68144) Cursor Case-Sensitivity File Protection Bypass (CVE-2025-59944) Grafana MCP Server Unauthenticated SSE Access Cursor MCP Definition Bypass / MCPoison (CVE-2025-54136) Universal Output Poisoning: No MCP Output Is Safe Heroku MCP Exploit: Malicious App Ownership Transfer Rug Pulls: Silent Tool Redefinition Cross-Server Tool Shadowing Tool Name Collisions

Unauthorized Access

Accessing resources, systems, or data without proper authorization

MCPJam Inspector RCE (CVE-2026-23744) Anthropic Git MCP Server RCE Chain (CVE-2025-68145 / 68143 / 68144) GitHub Kanban MCP Server RCE (CVE-2026-0756) Microsoft MarkItDown MCP Server SSRF Zen MCP Server Path Traversal (CVE-2025-66689) filesystem-mcp Path Traversal (CVE-2025-67366) gemini-mcp-tool Command Injection (CVE-2026-0755) Fetch MCP Server SSRF (CVE-2025-65513) MCP Sampling Exploitation: Three Attack Classes Kluster Verify MCP Server Credit Exhaustion Vet MCP Server DNS Rebinding (CVE-2025-59163) Framelink Figma MCP Server RCE (CVE-2025-53967) Microsoft Learn MCP Server SSRF (TRA-2025-36) Neo4j MCP Cypher Server DNS Rebinding / Database Takeover thirdweb MCP Server Unauthorized Crypto Transactions Grafana MCP Server Unauthenticated SSE Access Rogue MCP Server Browser Injection in Cursor DNS Rebinding in Official MCP SDKs (CVE-2025-66414 / CVE-2025-66416) mcp-remote OS Command Injection (CVE-2025-6514) Kubernetes MCP Server Command Injection (CVE-2025-53355) Docker Sandbox Escape in node-code-sandbox-mcp (CVE-2025-53372) Heroku MCP Exploit: Malicious App Ownership Transfer Command Injection in create-mcp-server-stdio (CVE-2025-54994) MCP Inspector Remote Code Execution (CVE-2025-49596) Insecure Credential Storage in MCP Ecosystem Consent Fatigue Attacks Session IDs Exposed in URLs

Supply Chain Compromise

Introducing vulnerabilities through compromised tools, packages, or dependencies

MCP Registry Hijacking (Supply Chain) Kilo Code AI Agent Supply Chain Attack ANSI Terminal Code Deception in MCP Malicious Local MCP Servers MCP Safety Audit: Systematic Exploit Analysis

Communication Compromise

Intercepting or manipulating communications between MCP components

MCP TypeScript SDK Cross-Client Data Leak (CVE-2026-25536) Vet MCP Server DNS Rebinding (CVE-2025-59163) Coder Agent API Chat History Exposure via DNS Rebinding DNS Rebinding in Official MCP SDKs (CVE-2025-66414 / CVE-2025-66416) Session IDs Exposed in URLs

Tag Vocabulary

Standardized tags for cross-cutting concerns and attack characteristics.

Affected Components

Which parts of the MCP architecture are impacted.

MCP Client

Vulnerabilities in MCP client implementations (e.g., Claude Desktop, Cursor)

16 vulns

MCP Server

Vulnerabilities in MCP server implementations

38 vulns

MCP Protocol

Vulnerabilities in the MCP protocol specification itself

5 vulns

MCP Ecosystem

Vulnerabilities in the broader MCP tooling ecosystem (inspectors, registries)

6 vulns