Nightfall AI’s 2026 AI Agent Risk Report: Understand AI risk. Protect your data
Get the report
Blog

MCP Security in 2026: 5 Risks Hiding in Your AI Agent Stack

Chris Martinez
May 11, 2026
On this page

The bottom line: There are over 20,000 MCP servers in public registries, and most enterprise security stacks have limited or no visibility into MCP activity. The Model Context Protocol gives AI agents direct access to code repositories, customer databases, and SaaS platforms — through a layer legacy DLP was never designed to inspect. The five most pressing MCP security risks in 2026: 

  • Silent updates to trusted MCP servers
  • Secrets and corporate IP leaking through agent traffic
  • Cross-repo access via overly broad tokens
  • Excessive tool permissions
  • Shadow MCP servers operating outside governance

Each requires MCP observability that legacy DLP cannot provide.

The MCP security gap is widening faster than the response

The data your AI agents now reach through MCP is exactly the data traditional DLP struggles with most: unreleased product roadmaps, M&A decks, proprietary source code, internal compensation data, and the rest of the unstructured corporate IP that has no signature for a regex to match. OWASP published its MCP Top 10 in 2025, and Adversa AI maintains a more granular MCP Top 25. The five risks below appear in both.

Categories below reference MCP vulnerabilities that appear on both the Adversa MCP Top 25 and the OWASP MCP Top 10.

Silent MCP Updates: When Tool Capabilities Change Without Review

Adversa: Missing Integrity/Verification Controls. OWASP MCP03: Tool Poisoning (rug pulls); MCP04: Software Supply Chain Attacks & Dependency Tampering.

You approved slack-mcp-server last quarter. It has been working fine. This morning, version 2.1 shipped with a new export_channel_history tool, and every developer who auto-updated now has it. Maybe the maintainer added it for a legitimate reason. Maybe a contributor did not think through the implications. Maybe the package was compromised. From your security team's vantage point, none of those distinctions matter, because none were visible — the capability surface of your environment changed overnight and nobody reviewed it. 

Adversa catalogs the worst-case version as a Rug Pull Attack, which OWASP places under tool poisoning; the everyday version is MCP version drift outpacing change management. SecurityWeek reported in April 2026 on a systemic MCP design flaw affecting more than 7,000 public servers and 150 million downloads, with Anthropic not fundamentally changing the protocol architecture in response to these concerns. The control that closes this gap is continuous scanning that flags new tool capabilities before they roll out, with automatic quarantine of unreviewed updates.

Secrets Leaking Through MCP: The New Path for Credential Exposure

Adversa: Token / Credential Theft. OWASP MCP01: Token Mismanagement & Secret Exposure.

A developer asks Cursor to debug a failing deployment. The GitHub MCP fetches the relevant config file into context. Embedded in it: an AWS access key, a database connection string, and the comments explaining the unreleased pricing tier those services support. The credential and the strategy doc have left the building together, through a channel traditional DLP never inspects.

The egress path is not email. It is not a browser upload. It is a tool call.

GitGuardian's State of Secrets Sprawl 2026, covered by Help Net Security, found 24,008 secrets embedded in MCP config files on GitHub and an 81% year-over-year surge in AI-service credential leaks. The IP loss running through the same channel is harder to measure, because nothing flagged it leaving. Closing this gap requires content inspection at the protocol level, with automatic redaction of secrets and detection of sensitive context before the request leaves the endpoint.

Cross-Repo Access: When AI Agents Reach Where Their Users Shouldn't

Adversa: Cross-Repository Data Theft. OWASP MCP02: Privilege Escalation via Scope Creep.

Most GitHub MCP deployments use org-wide tokens because per-repo scoping is operationally painful. The result is straightforward: a developer on the marketing-site team can ask Claude to "summarize our authentication code" and get back internals of the payments service — proprietary logic, hardcoded secrets, architectural decisions that no employee outside the security and platform teams should ever see. No exploit required, just an over-scoped token meeting an agent that does exactly what it is asked. 

The same pattern enables more deliberate attacks. Invariant Labs demonstrated in May 2025 that a malicious GitHub issue with a hidden prompt could coerce a connected agent into copying private repository contents into a public pull request, a technique DEVCLASS reported has no obvious fix at the protocol level. Two controls do close it operationally: behavioral monitoring that flags anomalous repo access, and granular tool control that lets you allow GitHub broadly while blocking specific high-risk tools.

Over-Permissioned Tools: The Excessive Agency Problem

Adversa: Privilege Abuse / Overbroad Permissions. OWASP LLM06: Excessive Agency.

MCP tools tend to ship with the maximum permissions their underlying API allows, because narrowing them is the integrator's job and most integrators skip it. A "read my calendar" agent ends up with write access. A "summarize this repo" agent ends up able to create branches and open PRs. A "draft a Slack response" agent ends up able to post in any channel it has been read into. The scale of the problem is not anecdotal: a peer-reviewed academic study of 1,899 MCP servers in the public ecosystem, Hasan et al. (2025), found that 5.5% exhibited MCP-specific tool poisoning and 7.2% contained general vulnerabilities, with credential exposure the single most prevalent finding. 

Each of those servers represents tools that an AI agent could call with whatever permissions the integrator chose to ship. OWASP's guidance is explicit that the fix has to live outside the tool itself: limit tool capabilities to the minimum necessary, enforce least-privilege identities, and require human approval for high-impact actions. The operational version is granular per-tool policy: allow GitHub but block create_branch, allow Slack but block post_message, allow Salesforce but block delete_record, all enforced externally without rewriting the MCP server.

Shadow MCP: The Ungoverned Servers Already Inside Your Org

Adversa: Unauthenticated Access. OWASP MCP09: Shadow MCP Servers.

Most enterprises learn about new MCP servers after the fact. By the time the server appears on a security team's radar, it is already running on a developer's laptop, already authenticated to a corporate SaaS account, and already sending tool calls outside any audit pipeline. MCP does not standardize authentication enforcement across implementations, so most MCP servers do not have any — what Adversa lists as Unauthenticated Access, the architectural oversight that enables nearly every other attack on its list. OWASP gave it a dedicated category in MCP09. 

The Cloud Security Alliance described the dynamic in late 2025: MCP servers are trivial to spin up, easy to share, and become a straight line from a hosted LLM into internal applications. Three controls collapse this gap: endpoint-level discovery that surfaces new MCP configurations within seconds, an SSO-gated proxy that forces authentication on every tool call, and a default-deny posture against the long tail of unvetted servers.

Why MCP Breaks Traditional DLP

Traditional DLP was built to inspect three things: files moving through email, uploads in browsers, and endpoint-to-cloud sync. MCP traffic looks like none of those.

The transport is invisible to the existing stack. It is JSON-RPC over a local stdio pipe or a remote HTTP transport, often initiated by a desktop client your security stack treats as a trusted process. Endpoint detection sees a legitimate authenticated process. Web proxies see allowed outbound traffic.

The data is whatever the agent decided to include. A code file, a customer record, a strategy doc, or all three concatenated. There is no fixed schema for SaaS DLP to fingerprint, because the payload is whatever context the agent assembled to answer a question.

The perimeter is gone. SaaS DLP sees nothing, because the data never touched the SaaS perimeter. The data left the endpoint as a tool call and arrived at a model provider's API.

The protocol layer is emerging as a critical enforcement point, which is what MCP observability provides: discovery, content inspection, and access control built for how AI agents actually move data.

The Path Forward

MCP is moving to the primary integration layer for enterprise AI faster than most security programs are tracking. The Adversa MCP Top 25 and the OWASP MCP Top 10 make the same underlying point: the attack surface is real, the categories are nameable, and the controls already exist for teams willing to put them in place. The five risks above cover what data security teams care about most — corporate IP and credentials moving through channels nobody currently inspects.

Nightfall built its MCP security platform around exactly this surface. To see how Nightfall handles MCP and agentic data exposure in your environment, request a demo.

Schedule a live demo

Tell us a little about yourself and we'll connect you with a Nightfall expert who can share more about the product and answer any questions you have.
Not yet ready for a demo? Read our latest e-book, Protecting Sensitive Data from Shadow AI.
<1---->

© 2025 Nightfall AI. All rights reserved.

Terms of ServicePrivacy PolicySecuritySecurity
Twitter X LogoFacebook LogoLinkedIn LogoLinkedIn LogoYoutube Logo