Download Framework
OWASP / MCP Top 10
A risk framework derived from the OWASP Top 10 for Model Context Protocol (MCP) 2025 (beta release v0.1), published by the OWASP Foundation. It identifies the ten most critical security risks arising in the lifecycle of MCP-enabled systems — spanning token mismanagement, scope creep, tool poisoning, supply chain attacks, command injection, intent subversion, authentication failures, audit gaps, shadow deployments, and context over-sharing — together with associated controls to reduce or eliminate those risks.
Type:
Industry
Domain:
Cybersecurity
Coverage:
Accountability & Governance
Safety & Reputational Harm
Tags:
MCP
Content:
10 Risks
30 Controls
Version: v0.1
Framework Definition
Risks and controls associated with the framework
Assessment Layer
Concrete evaluations linked to controls to assess pass or fail
No evaluation mapping defined yet.
RISK
Token Mismanagement and Secret Exposure
Risk that hard-coded credentials, long-lived tokens, and secrets stored in MCP model memory, protocol logs, or configuration files are exposed to unauthorised access — through prompt injection, compromised context, or debug trace inspection — leading to full compromise of connected systems, lateral movement across integrated services, and data exfiltration from vector databases or file stores.
CONTROL
Store Secrets in Vaults and Inject at Runtime Only
Ensure that all secrets, API keys, and credentials are stored in secure secret management systems (e.g., HashiCorp Vault, AWS Secrets Manager) and injected into MCP environments via runtime environment variables only — never hard-coded at build time or embedded in configuration files.
CONTROL
Issue Short-Lived, Session-Scoped Tokens Bound to Agent Identity
Ensure that tokens are short-lived, scoped to the minimum necessary permissions, renewed for every new MCP session, and bound to the specific agent, tool, or session context to prevent reuse or lateral misuse.
CONTROL
Enforce Context Isolation and Redact Secrets from Logs
Ensure that sensitive data is prevented from persisting in model memory or context windows, that inputs and outputs are redacted or sanitised before logging, and that ephemeral contexts are used for operations involving credentials.
RISK
Privilege Escalation via Scope Creep
Risk that temporary or narrowly scoped permissions granted to MCP agents or tools expand over time — through configuration drift, convenience decisions, or cumulative scope increases across connected systems — until agents hold broad or administrative privileges, enabling unauthorised code modification, unreviewed deployments, service account impersonation, and amplified incident blast radius.
CONTROL
Define Least-Privilege Permission Scopes Before Deployment
Ensure that minimal permissions required per agent are defined and documented before deployment, mapped to explicit fine-grained scopes, and encoded as policy-as-code enforced through CI/CD pipelines that reject non-compliant configurations.
CONTROL
Enforce Expiry-Based and Just-in-Time Access with Human Approval Gates
Ensure that all agent scopes and tokens are time-limited, require revalidation for long-running tasks, and use just-in-time elevation workflows with human approval gates for higher-risk operations. Require separation of duties for permission grants.
CONTROL
Run Automated Entitlement Reviews and Alert on Permission Drift
Ensure that entitlement audits are run periodically and on every change to detect scope expansions, with alerts requiring documented justification and approval for any permission increase, supported by immutable audit trails tying actions to agent identity and session.
RISK
Tool Poisoning
Risk that adversaries tamper with tool schemas, manifests, or metadata governing agent-to-tool interactions in an MCP ecosystem — through schema poisoning, rug pulls, tool shadowing, or supply-chain compromise of interface definitions — causing agents that trust and follow these contracts to inadvertently execute dangerous commands while logging apparently valid actions, with potential for widespread compromise across all agents consuming the poisoned schema.
CONTROL
Digitally Sign Schemas and Verify Signatures Before Use
Ensure that all schemas and tool manifests are digitally signed (e.g., JWS, COSE, PKI-backed signatures), that agents verify signatures before accepting or using any schema, and that content-addressable identifiers (hashes) are validated against trusted values.
CONTROL
Enforce Immutable Schema Registry with Separation of Duties
Ensure that schemas are stored in an immutable version-controlled system with signed commits, append-only ledger semantics, enforced code review, multi-person approval for schema changes, and strict RBAC separating the role that proposes changes from the role that approves and publishes them.
CONTROL
Encode Semantic Invariants as Policy and Enforce at Runtime
Ensure that semantic invariants are encoded as policy checks (e.g., OPA/Rego) that run in CI and in a runtime policy decision point, and that agents are required to log the schema hash and provenance metadata used for each invocation.
RISK
Software Supply Chain Attacks and Dependency Tampering
Risk that compromised or maliciously modified third-party components — including MCP server libraries, SDKs, connectors, plugins, model-side tool integrations, open-source packages, and build pipelines — introduce hidden backdoors, unsafe API calls, context poisoning payloads, or privilege escalation mechanisms into the MCP execution chain, enabling cross-tenant compromise and propagation into downstream CI/CD and cloud infrastructure.
CONTROL
Require Signed Components and Maintain SBOM Visibility
Ensure that cryptographic signing is required for all MCP SDKs, plugins, tool manifests, and container images with signature validation at install and startup, and that SBOM and CBOM snapshots are generated for each MCP server and plugin package, stored alongside deployments for auditing.
CONTROL
Pin Versions to Immutable Hashes and Scan for Known Vulnerabilities
Ensure that all component versions are pinned to immutable hashes rather than floating references, that approved internal registries are used to block direct public internet downloads, and that software composition analysis (SCA) tools scan for known CVEs and malicious indicators in both direct and transitive dependencies.
CONTROL
Sandbox Third-Party Plugins and Enforce Supply Chain Governance
Ensure that third-party plugins run in constrained execution environments (e.g., WASM, container isolation) with restricted filesystem and network access, and that supplier risk profiles are maintained with requirements for signed attestations and security maturity review of open-source maintainers.
RISK
Command Injection and Execution
Risk that AI agents in MCP environments construct and execute system commands, shell scripts, SQL queries, or API calls using untrusted input — from user prompts, retrieved context, or third-party data — without proper validation or sanitisation, enabling arbitrary code execution, data exfiltration, privilege escalation, lateral movement, supply chain poisoning, and denial of service through the agent's elevated execution context.
CONTROL
Enforce Command Allowlists and Reject Shell Metacharacters
Ensure that permitted commands, arguments, and file paths are defined as allowlists, that shell metacharacters are rejected, and that all file paths are normalised and validated to block traversal attacks.
CONTROL
Adopt Safe Execution Patterns and Disable Unsafe Evaluation Functions
Ensure that shell=True, eval(), exec(), and string-built commands are prohibited, that structured parameter execution is always used, that model-generated code is not automatically executed without human review, and that parameterised SQL and API calls are used in place of string interpolation.
CONTROL
Sandbox All Tools with Least Privilege and Human Approval for Sensitive Actions
Ensure that tools run in sandboxed containers or micro-VMs with enforced timeouts, resource limits, and read-only filesystems, that tools are executed as non-root with minimal permissions, and that destructive, privileged, or system-modifying operations require explicit human approval with immutable audit logging.
RISK
Intent Flow Subversion
Risk that malicious instructions embedded within MCP-retrieved context — documents, tool outputs, resource responses, or schema metadata — hijack the agent's Intent Flow, diverting it from the user's original goal toward an attacker's objective while appearing to continue the original task, enabling goal hijacking, unauthorised autonomous actions, and persistent behavioural manipulation across multiple sessions.
CONTROL
Anchor User Intent and Validate Proposed Actions Against the Original Goal
Ensure that the user's original goal is explicitly anchored in the system prompt and that at every planning step the agent's proposed actions are evaluated against that anchor using a Policy Decision Point (PDP) that enforces a whitelist of goal-aligned actions, blocking tool calls that deviate from the original intent.
CONTROL
Apply Independent Intent Verification via a Guardrail Model
Ensure that a separate, independent guardrail model — isolated from potentially poisoned MCP context — verifies proposed tool calls by evaluating only the user intent and the proposed action, detecting deviations before execution.
CONTROL
Tag Retrieved Content as Untrusted and Monitor for Intent Drift
Ensure that all natural-language content retrieved from MCP resources or tool outputs is tagged as untrusted context and treated as passive data rather than executable instructions, and that intent drift is actively monitored with automatic session pausing when the agent's plan deviates from the original goal.
RISK
Insufficient Authentication and Authorization
Risk that MCP servers, tools, or agents fail to properly verify identities or enforce access controls — through missing or optional token validation, hard-coded shared secrets, insecure token issuance, client-side-only enforcement, or unverified caller identity — enabling unauthorised actions, privilege escalation, cross-agent impersonation, data leakage via over-permissive APIs, and service compromise through trusted connector chaining.
CONTROL
Enforce Mutual TLS and Short-Lived Scoped Tokens for All MCP Entities
Ensure that mutual TLS (mTLS) is required between all MCP clients, agents, and servers, that short-lived JWT/OAuth2-style tokens are scoped to specific sessions and permissions, bound to agent identity via signed attestation, and validated server-side on every request.
CONTROL
Implement Fine-Grained Per-Request Authorization with Deny-by-Default
Ensure that RBAC or ABAC authorization models are applied per request (not per session), with a deny-by-default stance where any unrecognised agent or scope is automatically blocked, and that admin or system tokens are restricted from development or shared contexts.
CONTROL
Integrate with Centralised IAM and Log All Authentication and Authorization Events
Ensure that MCP authentication is integrated with organisational IAM or OIDC providers, that policy enforcement is centralised through a Policy Decision Point, and that every authentication attempt and authorization decision is logged with anomaly detection for repeated failures, invalid tokens, and cross-tenant token reuse.
RISK
Lack of Audit and Telemetry
Risk that absent or poorly implemented audit logging and telemetry in MCP systems leaves organisations unable to detect, investigate, or respond to unauthorised agent actions, data access, or model misbehaviour — enabling silent data exfiltration, insider abuse, compliance violations, and undetected behavioural drift — with delayed breach detection increasing dwell time and damage from malicious or accidental misuse.
CONTROL
Implement Structured, Tamper-Evident Logging for All Agent Actions
Ensure that all agent actions, tool invocations, schema versions, and context snapshots are logged in a structured format (JSON, CEF, OpenTelemetry) with cryptographic integrity protection, stored in append-only or write-once media, including essential fields: timestamp, agent ID, session ID, tool invoked, parameters used, response summary, and user identity.
CONTROL
Integrate with SIEM and Establish Behavioural Baselines for Anomaly Detection
Ensure that MCP logs are forwarded to enterprise SIEM systems for correlation, that automated alert rules are established for high-risk activities, and that telemetry is used to build and maintain behavioural baselines of normal agent operations with anomaly detection to flag deviations.
CONTROL
Enforce Log Retention Policies Aligned with Compliance Requirements
Ensure that log retention periods are aligned with applicable compliance frameworks (e.g., PCI DSS: 1 year minimum), that logs are protected with PII-safe masking and field-level encryption, and that periodic audit drills verify that investigators can reconstruct events from available logs.
RISK
Shadow MCP Servers
Risk that unapproved or unsupervised deployments of MCP server instances — spun up by developers, research teams, or data scientists for experimentation or convenience outside formal security governance — operate with default credentials, permissive configurations, or unsecured APIs, creating invisible backdoors into enterprise systems that bypass centralised authentication, monitoring, and data governance controls.
CONTROL
Establish a Centralised MCP Registry and Require Pre-Deployment Approval
Ensure that a centralised MCP registry is established where every instance must be registered and approved before deployment, registration is tied to CI/CD pipelines such that unregistered instances fail deployment, and metadata including owner, purpose, version, endpoints, compliance state, and contact is maintained for every instance.
CONTROL
Implement Continuous Discovery Scanning for Unauthorised MCP Deployments
Ensure that network discovery tools and passive sensors are deployed to detect open MCP ports and traffic patterns across all subnets and cloud environments, with automated weekly scans and alerts to security operations when shadow MCP instances are detected.
CONTROL
Publish Secure-by-Default Configuration Templates and Enforce Compliance
Ensure that secure-by-default MCP configuration templates are published for teams, enforcing authentication, authorisation, disabled unauthenticated tool calls, and preconfigured logging and monitoring, with deployment of instances deviating from approved templates blocked.
RISK
Context Injection and Over-Sharing
Risk that MCP context — storing prompts, retrieved documents, intermediate reasoning, and interaction history — is shared, persistently stored, or insufficiently scoped, enabling sensitive information from one session, agent, or user to leak into another, or malicious content to be injected into shared memory to persistently corrupt future agent behaviour, resulting in privacy violations, regulatory exposure, trade secret disclosure, and cross-agent or cross-tenant data compromise.
CONTROL
Enforce Ephemeral, Per-Session Context Windows with Automatic Expiry
Ensure that context windows are short-lived and per-session by default, with automatic deletion after task completion, defined TTL policies (e.g., session end, 30 minutes, 24-hour maximum), and persistent memory only permitted when explicitly sanctioned and governed.
CONTROL
Implement Context Isolation with Unique Namespaces per User, Agent, and Tenant
Ensure that unique context namespaces are assigned per user, agent, workflow, and tenant, that one agent cannot directly access another agent's memory without explicit access controls, and that in multi-tenant deployments retrieval indexes and vector stores are fully isolated between tenants.
CONTROL
Classify Context Data and Detect Injection Patterns Before Storage
Ensure that all inputs and retrieved data are classified by sensitivity level (public, internal, confidential, restricted), that automated scanners redact PII, secrets, and tokens before storage, and that context injection patterns (e.g., instruction-override attempts) are detected and blocked before being persisted in memory.