Overview
Malicious MCP servers trigger repeated consent requests to fatigue users into granting excessive permissions, exploiting human psychology to bypass approval-based security controls.
Who Is Affected
Identified by Palo Alto Networks Unit 42 researchers. Targets all MCP users who interact with tool approval dialogs, particularly those in high-throughput development workflows.
Where It Exists
The vulnerability exists in MCP client consent mechanisms that present individual approval dialogs for each tool operation. The attack exploits the human interface, not a technical flaw.
When It Was Found
Reported April 1, 2025. The risk is ongoing and increases as MCP tools become more numerous and frequently invoked.
How It Works
A malicious server deliberately triggers many approval prompts for benign-looking operations. After the user has approved dozens of routine requests, a malicious operation is slipped in. Fatigued users tend to click 'approve' reflexively, especially when the prompt looks similar to previous legitimate ones. Some variations gradually escalate permission scope.
Impact
Users unknowingly grant dangerous permissions including file system access, network requests to attacker-controlled servers, and execution of arbitrary commands. The social engineering aspect makes this difficult to defend against with purely technical controls.
Mitigation
Implement MCP clients with batched approval (approve tool categories rather than individual invocations). Use risk-based approval that only prompts for high-risk operations. Set session-level permission policies. Add visual differentiation for high-risk vs routine approvals. Implement rate limiting on consent prompts.