Skip to content
Kloudle Logo
MCP Dev Summit Mumbai · Jun 15, 2026

Your MCP Server Is an Attacker's Dream

We assessed ~15 production MCP servers. Authorization — not authentication — is where MCP breaks. This is the playbook: the lethal trifecta, the real findings, and a pre-prod checklist you can run today.

No proof, no finding. Every claim here is backed by a request and a response.

Limited to 100. One email when access opens — no spam, no sales calls.

From Kloudle, the sovereign posture plane for AI software factories. Jump to the pre-prod checklist →

proof gate · one MCP server only proven crosses
  • lead T-12 update_contact cross-account? unproven
  • blocked T-09 needs a valid session to test can't evaluate
  • disproven T-04 search → search chain noise
  • proven T-01 38 tools to an unauth caller → critical
  • proven T-22 SSRF → credential drain → critical
~15 servers assessed evidence-backed
The Lethal Trifecta

Three Capabilities. Survivable Alone, Lethal Together.

1

Access to private data

Overprivileged tools expose data the server never needed to touch.

2

Exposure to untrusted content

Tool poisoning and injected content the LLM treats as trusted commands.

3

Ability to exfiltrate

SSRF via tool arguments and transport misconfig open an outbound channel.

Concept coined by Simon Willison (2025). One MCP server can hold all three at once.

Real-World Assessments

Authorization — Not Authentication — Is Where MCP Breaks

Across ~15 production MCP servers, the same failures showed up again and again.

Missing object-level authorization (IDOR)

The most common serious finding — confirmed on 3 separate production servers. Any logged-in caller could read and modify another account's objects.

Unauthenticated callers read the whole catalog

One CRM server returned all 38 tool definitions, full schemas, with no auth header at all.

Discovery ignores RBAC

On an ITSM server a low-privilege key saw the identical 79-tool catalog as org-admin — including admin-only credential tools.

The Combination Kills

One Chatbot Key, a Tenant-Wide Credential Leak

An enterprise ITSM platform — all three legs, one MCP access key meant for a chatbot. Each tool passed review on its own.

  1. 1
    DISCOVERY

    tools/list returns 79 tools to every key, regardless of role — no discovery-time RBAC.

  2. 2
    ENUMERATE

    A credential-list tool returns 152 stored credentials (metadata only — no secrets, by design).

  3. 3
    THE DEPUTY

    An HTTP tool advertised as "any URL, auth handled by the platform" — no destination allowlist.

  4. 4
    EXFIL

    Call it with an attacker URL + a CREDENTIAL_REFERENCE — the platform resolves the secret server-side into the outbound headers.

  5. 5
    CAPTURE

    The attacker endpoint reflects the injected credential. The secret never traversed an MCP response. Loop all 152 IDs.

  6. 6
    IMPACT

    One chatbot-grade key drains every stored integration credential in the tenant — plus a 47-user PII directory.

Two tools, each passing review, compose into a tenant-wide credential leak. The trifecta isn't in any one tool — it's in the catalog.

Doing Auth Right Doesn't Save You

Two servers got authentication exactly right — and still shipped a critical bug.

Spec / collab platform

Enforced authentication perfectly — 401 on unauthenticated calls, clean OAuth — then shipped four high-severity cross-user IDORs. Authenticated, but no ownership checks. Auth ≠ authz.

Enterprise ITSM platform

Built a deliberately safe credentials API that never returns secret values — then added an HTTP-proxy tool that leaks those same secrets outbound. A safe API + a permissive tool = an unsafe catalog.

A Repeatable Methodology

Seven Steps to Assess Any MCP Server Before Prod

AI makes finding things cheap — Anthropic's Project Glasswing surfaced 10,000+ high/critical vulnerabilities in a month. Proving and fixing them is the new bottleneck. So every finding has to earn its place.

  1. 1

    Map the surface

    Inventory every tool, schema, resource & annotation — unauthenticated first. What leaks before login?

  2. 2

    Classify tool power

    Read-only / state-changing / destructive; flag danger fields (URL, path, code, query, identity).

  3. 3

    Enumerate injection surfaces

    Tool descriptions and the data tools return — check for instructions-as-data.

  4. 4

    Build the confused-deputy graph

    Every read→write pair; SSRF-source → credential-sink = high; search→search = noise.

  5. 5

    Test authz with ≥2 principals

    Same tool, cross-user / cross-org / cross-role. Positive + negative controls catch IDOR.

  6. 6

    Active-safe probing

    SSRF canary callbacks, credential-ref exfil, requester spoof — operator-owned resources only, with cleanup.

  7. 7

    Promote evidence → issues

    Every claim backed by request/response logs; verify false- vs true-positive against raw schemas.

Proof Over Promises

Step seven of every assessment: promote evidence, not guesses. Each finding shows its work — the probe, the request and response that proved it, and the raw-schema check that ruled out a false positive. Inspect the ledger; don't trust a score.

01 Candidate 
tools/list exposes update_contact
on a personal-CRM MCP server

A tool that takes a resource ID. Possible cross-account write — unproven.

02 Active-safe probe 
call update_contact(contact_id: <victim>)
as a second, attacker-controlled principal

Operator-owned test data only, with cleanup. Never customer records.

03 Request / response evidence 
HTTP 200 · modified a record owned by
another account

The live exchange that proves it. Logged, not inferred.

04 True-positive check 
raw schema: no ownership field enforced
server-side → confirmed IDOR

Verified against the raw schema to rule out a false positive.

05 Promotable finding

proof_status: proven

→ agent-safe · fix payload ready

Only now does it cross into customer output, the graph, and agent remediation.

No proof, no finding.

Cut One Leg, Kill the Attack

The Exploit Needs All Three Legs

Remove any one and the attack collapses.

Untrusted content

Treat tool metadata and external content as tainted. Pin and review tool definitions. Isolate descriptions from the instruction context.

Privilege

Scope every tool to least privilege. No standing broad data access. Separate read from write; require approval for sensitive scopes.

Exfil path

Allow-list outbound destinations. Validate URLs in tool args. Enforce transport auth. Block arbitrary HTTP from tools.

The Pre-Prod Checklist

Run This Before Your MCP Server Ships

Fifteen checks, each mapped to the leg it defends.

tools/list rejects unauthenticated callers (no schema leak pre-auth) Untrusted
tools/list filtered by caller role (low-priv keys don't see admin tools) Privilege
Every tool taking a resource ID enforces object-level authz (no IDOR) Privilege
Client-supplied identity fields (requester/owner/assignee) ignored server-side Privilege
MCP keys scope-restricted per tool (chatbot key ≠ HTTP-proxy / credential access) Privilege
Tool descriptions free of behavioral directives ("proceed anyway") Untrusted
Tool output / user content not returned verbatim into agent context Untrusted
State-changing calls triggered by read output require a confirmation gate Untrusted
Outbound-request tools enforce a destination allowlist (block SSRF) Exfil
Stored credentials bound to a destination; not usable with arbitrary URLs Exfil
No host-level egress to arbitrary external URLs (egress filtering) Exfil
Cloud metadata / localhost / internal ranges blocked from request tools Exfil
Audit log + alert on credential-ref use against an unmatched destination Exfil
Bearer-token lifetimes sane (not multi-year) Privilege
Mass-read tools (list users / credentials) rate-limited + minimal fields Privilege

What Got It Right — and What Didn't

Got it right

Real authz boundaries, SSRF allowlists, no pre-auth leak.

  • GitHub — Cross-org access denied; org-scoped fine-grained PATs.
  • Supabase — Bidirectional cross-principal access denied; boundary enforced.
  • Linear — Read/destructive hints on all 46 tools; SSRF domain allowlist.
  • MotherDuck — No promotable vulns; destructive hint set on the SQL tool.
  • PostHog — Required auth; unauthenticated assessment blocked at transport.

Got it wrong

Auth without authz, open catalogs, SSRF with no allowlist.

  • Enterprise ITSM platform — SSRF + credential proxy = tenant-wide secret leak. Critical.
  • Personal-CRM MCP — Cross-account IDOR + 38 tools to unauthenticated callers. Critical.
  • Spec / collab platform — Cross-user IDOR on 4 paths incl. destructive finalize. High ×4.
  • Docs / wiki platform — Tool-output injection drove a mutation tool. Medium.
  • Testimonials SaaS — Read-tool output can drive a state change. Medium.

Products that got it wrong are anonymized.

Run a Proof Bake-Off on Your MCP Server

Bring one MCP server — add a cloud account and a deployed app if you have them. Kloudle returns an evidence ledger: every finding proven, disproven, or blocked, with the request and response behind it, plus verified fixes for the top risks. Authentication is table stakes; we test what your tools can do together.

Self-serve signup is closing. This is the way in.

Limited to 100. One email when access opens — no spam, no sales calls.