MCP (Model Context Protocol) introduces architectural security risks into LLM environments that cannot be resolved through patching or configuration changes. Researcher Gianpietro Cutolo from Netskope identifies three core attack classes: indirect prompt injection (LLMs cannot distinguish content from instructions, enabling malicious instructions hidden in emails or documents to trigger real actions), tool poisoning (malicious instructions planted in MCP server tool metadata), and Rug Pull attacks (silent malicious modification of MCP servers with no notification mechanism). In MCP-enabled environments, LLMs execute real actions autonomously — accessing files, calling APIs, triggering workflows — making these vulnerabilities far more dangerous than hallucinations. Mitigations include separating MCP servers by data sensitivity, scanning tool metadata, enforcing least-privilege permissions, logging all MCP traffic, and keeping humans in the loop for sensitive actions.
Sort: