AI/ML, AI benefits/risks, Application security, Exposure management

Why Model Context Protocols are the next AI security blind spot

The robot is out of control. AI controls itself. Loss of influence on AI. Human hand manipulating robot puppet. Freedom concept. Artificial Intelligence technology.

COMMENTARY: AI agents are moving from novelty to infrastructure at record speed. In the race to make them more capable, developers are bolting on Model Context Protocols (MCPs) — plugins that act as connectors between agents and the APIs, tools, or execution environments they control. They’re the part of the AI stack that turns a prompt into action. That’s also where the danger lives.

Pynt recent research analyzed 281 real-world MCP configurations from open agent frameworks and plugin stacks. On the surface, many looked safe. But when studied how they interacted, the risk picture changed dramatically: seemingly harmless plugins, when combined, created invisible attack surfaces capable of high-impact exploits with no human in the loop. And these aren’t theoretical “lab condition” vulnerabilities. We found agents in the wild that could be exploited by a single crafted email, Slack message, or piece of HTML scraped from the web, leading directly to silent code execution.

[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]

The numbers should make you uncomfortable

The research revealed that 72% of MCPs exposed powerful actions attackers could abuse, from writing to disk to executing code or calling high-permission APIs — often with no approval checkpoints. Just two MCPs, one taking untrusted input and another with privileged execution rights, raise exploit likelihood to 36%. With three MCPs, the risk jumps to 52%. Install 10 MCPs in a system and your theoretical exploitation risk hits 92%. Thirteen percent of MCPs accept attacker-controlled inputs directly from sources like Slack, email, or web scraping, and 9% combine untrusted inputs with privileged execution, meaning they can be fully exploited without zero-days, malware, or lateral movement.

From APIs to execution layers

The shift from APIs to MCPs is subtle but transformative. APIs expose data and functionality. MCPs execute. They can run inside local environments with deep system access, often bypassing the layered security models that were built for web services. We’ve been here before.

API sprawl led to data leakage and privilege escalation issues. Security teams learned to manage permissions, enforce authentication, and limit scopes. But MCP risk isn’t about a single endpoint’s permissions. It’s about the way multiple capabilities combine into an execution path. That’s the core of MCP compositional risk: a plugin that scrapes content, another that parses it, and a third that executes commands can form an exploit chain, even if each one on its own seems safe.

Why existing defenses aren’t enough

Traditional security controls, like static analysis, permission audits, or sandboxing were never designed for the dynamic, chained nature of MCP-powered agents. Static checks can’t model runtime chain-of-events where input from one MCP becomes executable code in another.

Permission reviews might approve each plugin’s scope individually but fail to detect when combinations create new privilege escalation routes. Sandboxing helps in isolation but breaks down when MCPs interact across boundaries in ways that aren’t properly segmented. An MCP ecosystem behaves more like a live, composable program than a static set of APIs. That demands a security model that can see and evaluate chains of actions in context.

The reality of agent sprawl

It’s tempting to think compositional exploits are edge cases. They’re not. In real deployments, MCPs proliferate fast. Teams install plugins for everything — data ingestion, parsing, transformation, storage, execution — because they want agents that can operate autonomously. Very few teams systematically review the interplay of these components. This is exactly how “agent sprawl” happens: every new MCP adds not just its own risk, but new pathways for exploitation when combined with existing ones. By the time an AI agent has a dozen plugins, it’s less a “tool” and more a programmable backdoor waiting for the right sequence of inputs.

Why this is a business problem, not just a technical one

If you think this is a niche security concern, consider the business stakes. MCP-powered agents are increasingly wired into sensitive workflows: sales automation, customer service, DevOps, even security orchestration. A breach here isn’t just about data loss, but an attacker being able to take actions in your environment with the speed, precision, and persistence of an automated system. That kind of exploit doesn’t just steal — it acts. And because many MCP attacks leave little traditional forensic trace, incidents will be harder to detect and harder to investigate. The first high-profile exploit will not be a “wake-up call” for the industry, it will be a headline-grabbing incident with real operational and reputational fallout.

What must change now

Security teams need to address MCP compositional risk by design, not as an afterthought. That means:

  • Limit MCP exposure: Enable only the plugins and servers actively in use. Remove the rest. Every unused MCP is another potential pathway for an attacker.
  • Add human-in-the-loop approvals: Use MCP host approval features to require explicit user confirmation for every high-privilege action.
  • Isolate execution environments: Contain high-privilege MCPs in separate sandboxes so they can’t be chained together invisibly.
  • Implement chain-aware validation: Move beyond static checks. Monitor and validate runtime execution paths across MCPs to catch dangerous compositions before they execute.

A shift in mindset

The security world learned to live with APIs by building frameworks for governance, monitoring, and access control. We don’t have that same maturity for MCPs yet — but we need it. Fast. MCPs aren’t going away. They’re becoming the execution layer of modern software, and with that comes a new class of systemic risk — compositional, dynamic, and silent until it’s too late. The organizations that get ahead of this will design for MCP security from the start. The ones that don’t will find out the hard way that in the era of agentic AI, capability without composition control is just vulnerability at scale.

An In-Depth Guide to AI

Get essential knowledge and practical strategies to use AI to better your security program.
Golan Yosef

Golan Yosef is co-founder and Chief Security Officer at Pynt, an API security platform. 

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds