The MCP Security Gap: How Everyday AI Plumbing Attracts Prompt Injection

A developer opens an AI assistant inside an editor to clear a backlog of issues. The assistant reads a public ticket that looks routine, then quietly asks for access to a private repository and begins summarizing files it was never meant to see. Nothing about the scene feels like a breach. There is no ransom note. There is only a model following instructions that looked like ordinary work. That calm surface hides a deeper problem that sits at the center of the Model Context Protocol. 

  The Model Context Protocol, known as MCP, is an open standard for connecting AI applications to tools, data sources, and reusable prompts. In practice, an MCP client such as a desktop app or a service connects to one or more MCP servers that expose resources and tools. The protocol uses JavaScript Object Notation-Remote Procedure Call (JSON RPC) and supports two primary transports: local connections use standard input and output, remote connections use streamable HTTP. Anthropic, an AI software company, introduced MCP in late 2024 and it has spread quickly into developer tools and business assistants.  

  The same qualities that make MCP attractive to builders also appeal to attackers. Models rely on outside context to decide what to do, so a malicious instruction hidden in that context can steer a model to act in ways the user never intended. Security teams call this ‘indirect prompt injection.’ Microsoft has spelled out how these attacks work and why they matter. A model that can call tools can be tricked into exfiltrating data or taking actions on behalf of the user. The Open Worldwide Application Security Project (OWASP) Generative AI project now lists prompt injection as the top risk for systems that use large language models. Together those sources make a simple point. You cannot assume that content is safe just because it came from inside your workflow.  

  A recent case study from Docker shows how this plays out with code hosting. The researchers describe a scenario where a malicious issue in a public repository instructs an AI assistant to use an overly broad token to read from a private repository and then to leak that content. Their mitigation is plain and powerful. Insert interceptors between the client and the MCP server and enforce a policy that one session is bound to one repository. If the assistant tries to cross that boundary, the call is blocked, and the attempt is logged. The security lesson is as old as computing. Do not try to guess which words are dangerous. Instead, prevent privilege escalation in the first place.  

  Another incident brought risk to the client side. In July 2025, the software company, JFrog disclosed a critical vulnerability in mcp remote, a proxy that lets clients expecting local connections to talk to remote MCP servers. A crafted authorization endpoint could trigger command execution on the machine using the proxy. The fix is to update to a patched version and avoid untrusted servers. Reporting at the time noted that hundreds of thousands of environments were potentially affected, which underscores how quickly MCP components have become part of day-to-day work.  

  Classic software flaws also take on new life once they sit behind MCP. Cyber security company, Trend Micro, analyzed a reference SQLite based MCP server with an unpatched SQL injection bug. The flaw allowed an attacker to plant malicious text that would later be read by an assistant, creating stored prompt injection. The Register reported that the repository had been widely forked before it was archived, which means the risky code likely lives on in downstream projects. This is an old story told in a new key. A single injection bug becomes a persistence layer for hostile instructions that an agent will eventually read.  

  What works in practice is a mix of architectural controls and plain discipline. Start with prevention, not just detection. Use interceptors to review every tool call and enforce clear boundaries. One session can be limited to one repository or one database. Certain tools and destinations can be denied outright. For deployments that use Docker’s gateway, enable built-in guards such as block network and block secrets. They deny outbound traffic that is not on a short allow list and scan outputs for credentials before they reach the user. These steps eliminate entire classes of mistakes without asking the model to tell good text from bad text.  

  Next, fix the token story. Replace broad personal access tokens with narrowly scoped tokens that are tied to a single resource and a small set of actions. Follow the MCP security guidance that forbids token passthrough and warns about the confused deputy pattern in OAuth proxies. In both cases, the cure is separation of audiences and clear ownership. Each component should get credentials intended only for its role.  

  Treat MCP servers as untrusted integration code. Run them in containers with minimal privileges. Limit what parts of the file system they can see. Assume old problems, such as server-side request forgery or path traversal, can show up through tool wrappers and shell calls. Instrument everything. Record who invoked which tool, with what arguments, and what came back. Alert on unusual spikes or first-time connections to new domains. Give teams a simple halt switch that pauses assistants and revokes tokens when something looks wrong. These habits will not stop every prompt injection, but they will turn a quiet leak into a contained event with a clear audit trail. 

  For lawyers and policy leaders, the governance frame is familiar. An MCP mediated leak is a data processing failure with all the usual implications for privacy law, contracts, and incident response. Align internal policies with the NIST AI Risk Management Framework and its Generative AI profile so that you can show how you govern, map, measure, and manage these specific risks. Use OWASP’s guidance to justify Default Deny controls around prompt injection and sensitive data exposure. Those references give counsel and security teams a common language and a roadmap that is vendor neutral.  

  The takeaway is simple. MCP is becoming the common plumbing that lets models act in the world. Standardization brings power and it also makes misuse repeatable. The answer is not to abandon the protocol. The answer is to adopt it with care. Quarantine new deployments. Start in sandboxes. Put high risk actions behind approvals. Keep the default posture restrictive until your team has the controls and the muscle memory to open things up responsibly. If you remember one rule, remember this one: one session, one resource, one clearly defined set of actions. 

Sources 

1. MCP transports and protocol basics. Model Context Protocol 

2. Anthropic announcement of the Model Context Protocol. Anthropic 

3. Microsoft on indirect prompt injection and defense in depth. Microsoft Security Response Center 

4. OWASP Gen AI Top Ten item LLM01 Prompt Injection. OWASP Gen AI Security Project 

5. Docker case study on GitHub prompt injection and interceptor policy. Docker 

6. JFrog disclosure of CVE 2025 6514 in mcp remote and mitigation. JFrog 

7. Coverage of the mcp remote impact and scale. The Hacker News 

8. Trend Micro analysis of the SQLite MCP server and stored prompt injection. www.trendmicro.com 

9. The Register report on the archived SQLite MCP server and lack of patch. The Register 

10. Docker gateway run flags for network and secret controls. Docker Documentation 

11. MCP security best practices on token passthrough and confused deputy risks. Model Context Protocol 

12. NIST AI Risk Management Framework Generative AI profile. NIST