Overview
Widespread practice across the MCP ecosystem of storing long-term API keys in plaintext on the local filesystem, often with world-readable permissions. Observed in official and third-party MCP servers connecting to services like GitLab, Postgres, and Google Maps.
Who Is Affected
Discovered by Keith Hoodlet at Trail of Bits through systematic analysis of MCP server implementations. Affects users of numerous popular MCP servers who have configured API keys for third-party services.
Where It Exists
API keys and credentials are stored in plaintext configuration files, environment files, or JSON configuration that MCP servers read at startup. Common locations include ~/.mcp/, project-level .env files, and mcp-config.json files with 0644 or broader permissions.
When It Was Found
Published April 30, 2025. The issue is systemic across the ecosystem and predates the report, having been the default pattern in most MCP server implementations since the ecosystem's early days.
How It Works
MCP servers instruct users to place API keys in local configuration files. These files are stored in plaintext with default filesystem permissions (often world-readable). Any local process, malware, backup system, or file disclosure vulnerability can read these keys. Cloud sync services may also upload these files to remote storage.
Impact
Compromise of all third-party service credentials stored for MCP use. Attackers gain access to user accounts on services like GitHub, GitLab, Google Cloud, databases, and communication platforms. The attack surface is broad because a single file disclosure vulnerability in any local application exposes all stored MCP credentials.
Mitigation
Use operating system keychain/credential store APIs instead of plaintext files. Set restrictive file permissions (0600) on any configuration files containing credentials. Use short-lived tokens with automatic refresh instead of long-lived API keys. Audit MCP server source code for credential storage practices before installation.