The OWASP MCP Top 10 Explained — With Mitigations

What It Is

Improper handling of authentication tokens — hardcoded secrets, tokens in tool arguments, overly broad scopes, missing rotation, or tokens persisted in LLM context windows.

Why It Matters

A single leaked token can grant an attacker persistent access to every tool on the server. Tokens embedded in agent context may be extractable through prompt injection. In multi-agent systems, a compromised token gives lateral movement across the entire mesh.

Mitigations

• ▶Use OAuth 2.1 with PKCE — ideally never long-lived static API keys
• ▶Set token expiry to 15 minutes maximum
• ▶Enable refresh token rotation
• ▶Never pass secrets as tool arguments — use credential vaults
• ▶Scan all MCP traffic for leaked tokens (DLP)
• ▶Implement per-tool scoped authorization

What It Is

An agent gains access to tools or resources beyond its intended scope. This can happen through missing authorization checks, overly permissive default roles, or tool chaining that bypasses per-tool restrictions.

Why It Matters

Agents are autonomous — they will use whatever tools they can discover. Without strict per-tool authorization, a read-only agent can discover and invoke write or delete tools. In multi-tenant systems, cross-tenant access becomes possible.

Mitigations

• ▶Implement per-tool authorization at the gateway, not the server
• ▶Use deny-by-default policies — explicitly allow each tool per agent role
• ▶Audit tool discovery events — agents should not see tools they cannot use
• ▶Enforce tool allowlists in agent configurations
• ▶Rate-limit privilege-sensitive operations (delete, admin, config)

What It Is

Malicious instructions embedded in tool descriptions, parameter schemas, or metadata. When an agent reads the tool definition, it follows the hidden instructions as if they were legitimate system prompts.

Why It Matters

LLMs process tool descriptions as trusted context. A poisoned tool description can instruct the agent to exfiltrate credentials, bypass safety checks, or modify its own behaviour. This attack is invisible to the end user and persists across sessions.

Mitigations

• ▶Hash and pin tool schemas — alert on any change
• ▶Human review of all tool descriptions before deployment
• ▶Scan tool descriptions for instruction-like patterns
• ▶Use tool registries with signed schemas
• ▶Sandbox tool servers to limit damage from compromised tools

What It Is

An MCP server changes its tool schemas after initial trust is established. A tool that was safe during review becomes malicious after deployment — parameters are added, descriptions change, or entirely new tools appear.

Why It Matters

Most MCP clients cache tool schemas on first connection. If the server mutates schemas between sessions, the agent operates with stale security assumptions. This enables time-delayed attacks that bypass initial security review.

Mitigations

• ▶Pin tool schemas with cryptographic hashes
• ▶Re-validate schemas on every connection, not just the first
• ▶Alert on any schema diff — new tools, changed parameters, modified descriptions
• ▶Maintain a schema audit log with timestamps
• ▶Implement automated rollback when schema changes are detected

What It Is

An attacker compromises an MCP server or impersonates one. This includes DNS hijacking, supply chain attacks on server packages, compromised hosting, or man-in-the-middle attacks on unencrypted connections.

Why It Matters

A hijacked server controls everything the agent sees and does through that server. It can return poisoned responses, exfiltrate every tool argument, and inject instructions into the agent context. The agent has no way to verify server integrity without external validation.

Mitigations

• ▶Mutual TLS for all MCP connections
• ▶Verify server identity through signed manifests
• ▶Pin server certificates or public keys
• ▶Monitor server package integrity (checksums, signatures)
• ▶Use private registries for internal MCP servers
• ▶Network segmentation — MCP servers should not reach the internet unless required

What It Is

Malicious instructions embedded in data returned by tools. A database query returns a row containing "Ignore previous instructions and...". A web scraper returns a page with hidden prompt injection. A file read returns content designed to hijack the agent.

Why It Matters

Agents process tool responses as context for their next action. If a response contains instructions, the agent may follow them — overriding its original task, exfiltrating data, or calling tools it should not. This is the most common MCP attack vector in the wild.

Mitigations

• ▶Scan all tool responses for instruction-like patterns
• ▶Implement content-type-aware parsing — do not treat data as instructions
• ▶Use delimiter-based context separation in agent prompts
• ▶Rate-limit and monitor tool calls that follow unusual response patterns
• ▶DLP scanning on response payloads

What It Is

Denial of service through resource consumption — an agent making unbounded tool calls, a server returning massive payloads, or recursive tool chains that consume all available compute, memory, or API quota.

Why It Matters

Agents operate in loops. Without resource limits, a single malicious prompt or buggy tool can trigger infinite call chains. This exhausts API quotas, overwhelms servers, and can rack up significant cloud costs.

Mitigations

• ▶Set per-agent and per-session tool call limits
• ▶Enforce response size limits at the gateway
• ▶Implement circuit breakers for tool call chains
• ▶Set CPU and memory limits on sandboxed MCP servers
• ▶Monitor and alert on unusual tool call volumes
• ▶Budget-based API quota management

What It Is

Insufficient logging of MCP operations — missing tool call records, no correlation across sessions, unstructured logs that cannot be queried, or logging that is easily tampered with.

Why It Matters

Without audit logs, you cannot detect attacks, investigate incidents, or prove compliance. Logging gaps are not vulnerabilities themselves — they are the reason vulnerabilities go undetected. Every regulatory framework (SOC 2, ISO 27001, GDPR) requires comprehensive audit trails.

Mitigations

• ▶Log every tool call with structured JSON (agent, tool, args, response, scan results)
• ▶Include correlation IDs that span full agent sessions
• ▶Integrate MCP logs with your SIEM
• ▶Implement tamper-evident logging (append-only, signed)
• ▶Set retention policies that meet compliance requirements
• ▶Alert on logging failures — a gap in logs may indicate active suppression

What It Is

Compromised MCP server packages, malicious dependencies, typosquatting on package registries, or backdoored server images. The attack targets the server code before it ever runs.

Why It Matters

The MCP ecosystem is young and dependency chains are not well audited. A single compromised package can affect thousands of deployments. npm and PyPI have both seen MCP-specific supply chain attacks in 2025.

Mitigations

• ▶Pin exact versions for all MCP server dependencies
• ▶Use lockfiles and verify checksums
• ▶Scan dependencies with SCA tools (Snyk, Dependabot)
• ▶Run MCP servers from signed container images
• ▶Maintain an internal registry of approved MCP servers
• ▶Audit new server packages before deployment — review tool descriptions, check for unusual network calls

What It Is

Unauthorized extraction of sensitive data through MCP channels — secrets leaked in tool arguments, PII returned in responses and forwarded to external services, or agents tricked into sending data to attacker-controlled endpoints.

Why It Matters

Agents handle sensitive data by design. They read files, query databases, and pass information between tools. Without DLP controls, any of this data can leave your perimeter through legitimate-looking tool calls.

Mitigations

• ▶DLP scanning on all tool calls and responses
• ▶Secret detection with 90+ pattern types
• ▶PII detection with regional awareness
• ▶Block outbound tool calls to unapproved domains
• ▶Network egress controls on MCP server containers
• ▶Alert on data volume anomalies per agent session