zz security findings — MCP Sentinel

Code Vulnerabilities

1 findingMCP03MCP05MCP07ASI02ASI05CoSAI-T3MAESTRO-L3EU-AI-Act-Art-15AML.T0054#

Server-Hardening Failures

1 finding

No Authentication Required

MediumMCP07-insecure-config

MCP server accepts initialize handshake without any authentication token or API key

1Connect to the MCP server transport (streamable-http) without providing any credentials (no Authorization header, no API key query parameter, no mTLS certificate). Issue the `initialize` request followed by `tools/list`. If both succeed, authentication is genuinely absent.capability:toolsExpect: Server responds 200/OK to `initialize` and returns the tool list without a 401/403 or any WWW-Authenticate challenge.
2If the MCP server is fronted by a reverse proxy (nginx / envoy / Traefik / IAP), inspect the proxy configuration and confirm whether auth is terminated at that layer. If yes, document the proxy's auth strategy in an audit note; the finding can then be dismissed with provenance. If no, the server is the auth boundary and E1 stands.nginx.conf/server/locationExpect: Either the proxy enforces auth (dismiss with audit trail) or no proxy exists (E1 stands).
3Verify the server's bind address. A 127.0.0.1 bind is not a substitute for authentication — DNS rebinding (Jackson/Bortz/Boneh 2007) makes localhost reachable from any web page the user visits. Unauthenticated localhost MCP servers have been demonstrated-exploited in the wild.capability:toolsExpect: Bind address is 0.0.0.0 / a routable IP (direct network exposure) OR 127.0.0.1 (still exposed via DNS rebinding from a malicious web page).

sourceenvironment

capability:tools

Live connection to the MCP server over streamable-http succeeded with no credentials. `initialize` + `tools/list` returned without any WWW-Authenticate challenge.

An MCP server that answers tool enumeration without authentication trusts the network. Under modern threat models (CCS 2007 DNS rebinding, open cloud networking) no network is trustworthy.

sinkprivilege-grant

capability:tools

Full tool authority exposed without identity verification. Any client that reaches the transport can enumerate and (on systems that expose invocation) call every tool.

mitigationauth-checkabsent

capability:tools

No authentication mechanism present at the MCP server layer. Reverse-proxy-terminated auth may exist at a layer the scanner cannot observe; reviewer must confirm via the deployment diagram.

impactprivilege-escalation

server-host

Any network-reachable client can connect and invoke tools with the server's delegated authority. For localhost-bound servers, a malicious web page can still reach the server via DNS rebinding (Jackson/Bortz/Boneh 2007), making localhost no better than 0.0.0.0.

trivial

Test 106 more rules — give us more context2 input gaps

Dependency manifest7 rules

To unlock these tests: expose your package manifest.

D1Known CVEs in DependenciesSupply Chain SecurityKnown Vulnerable Dependencies
D2Abandoned DependenciesSupply Chain SecurityKnown Vulnerable Dependencies
D3Typosquatting Risk in DependenciesSupply Chain SecurityMalicious & Typosquat Packages
D4Excessive Dependency CountSupply Chain SecurityKnown Vulnerable Dependencies
D5Known Malicious or Flagged PackageSupply Chain SecurityMalicious & Typosquat Packages
D6Weak or Deprecated Cryptography DependenciesCode VulnerabilitiesInsecure Credential & Crypto
D7Dependency Confusion Attack RiskSupply Chain SecurityMalicious & Typosquat Packages

Source code99 rules

To unlock these tests: publish your source on GitHub.

C1Command InjectionCode VulnerabilitiesCommand & Shell Execution
C10Prototype PollutionCode VulnerabilitiesData Store Injection
C11ReDoS — Catastrophic Regex BacktrackingCode VulnerabilitiesServer-Hardening Failures
C12Unsafe DeserializationCode VulnerabilitiesDynamic Code Evaluation & Deserialization
C13Server-Side Template Injection (SSTI)Code VulnerabilitiesDynamic Code Evaluation & Deserialization
C14JWT Algorithm Confusion / None Algorithm AttackCode VulnerabilitiesInsecure Credential & Crypto
C15Timing Attack on Secret or Token ComparisonCode VulnerabilitiesInsecure Credential & Crypto
C16Dynamic Code Evaluation with User InputCode VulnerabilitiesCommand & Shell Execution
C2Path TraversalCode VulnerabilitiesFilesystem & Network Traversal
C3Server-Side Request Forgery (SSRF)Code VulnerabilitiesFilesystem & Network Traversal
C4SQL InjectionCode VulnerabilitiesData Store Injection
C5Hardcoded Secrets in Source CodeCode VulnerabilitiesInsecure Credential & Crypto
C6Error Message Information LeakageCode VulnerabilitiesServer-Hardening Failures
C7Wildcard CORS ConfigurationCode VulnerabilitiesServer-Hardening Failures
C8No Authentication on Network-Exposed ServerCode VulnerabilitiesServer-Hardening Failures
C9Excessive Filesystem ScopeCode VulnerabilitiesCommand & Shell Execution
G7DNS-Based Data Exfiltration ChannelData ExfiltrationExplicit Network Exfiltration
H1MCP OAuth 2.0 Insecure ImplementationAuthentication & IdentityOAuth Misimplementation
I12Capability Escalation Post-InitializationHuman OversightPost-Init Capability Escalation
I15Transport Session SecurityAuthentication & IdentitySession & Transport Security
J1Cross-Agent Configuration PoisoningSupply Chain SecurityConfig Injection & Bridge Supply Chain
J2Git Argument InjectionCode VulnerabilitiesCommand & Shell Execution
J4Health Endpoint Information DisclosureModel ManipulationInformation Disclosure Via Debug Surface
J5Tool Output Poisoning PatternsPrompt InjectionIndirect Gateway Injection
J7OpenAPI Specification Field InjectionCode VulnerabilitiesOpenAPI / Spec Field Injection
K1Absent Structured LoggingAudit & LoggingAbsent or Unstructured Logging
K10Package Registry SubstitutionTool PoisoningUpdate-Channel Spoofing
K11Missing Server Integrity VerificationSupply Chain SecurityKnown Vulnerable Dependencies
K12Executable Content in Tool ResponseTool PoisoningAnnotation Deception
K13Unsanitized Tool OutputTool PoisoningAnnotation Deception
K14Agent Credential Propagation via Shared StateAuthentication & IdentityCross-Boundary Credential Sharing
K16Unbounded Recursion / Missing Depth LimitsProtocol & TransportJSON-RPC Batching & Flooding
K17Missing Timeout or Circuit BreakerDenial of ServiceRecursion & Loop Bombs
K18Cross-Trust-Boundary Data Flow in Tool ResponseData ExfiltrationSource-to-Sink Flow
K19Missing Runtime Sandbox EnforcementDenial of ServiceTimeout & Circuit-Breaker Gaps
K2Audit Trail DestructionAudit & LoggingLog Destruction
K20Insufficient Audit Context in LoggingAudit & LoggingInsufficient Audit Context
K3Audit Log TamperingAudit & LoggingLog Destruction
K5Auto-Approve / Bypass Confirmation PatternHuman OversightAuto-Approve & Bypass
K6Overly Broad OAuth ScopesAuthentication & IdentityOAuth Misimplementation
K7Long-Lived Tokens Without RotationAuthentication & IdentityOAuth Misimplementation
K8Cross-Boundary Credential SharingData ExfiltrationTrust-Boundary Data Flow
K9Dangerous Post-Install HooksSupply Chain SecurityInstall-Time Execution
L1GitHub Actions Tag PoisoningSupply Chain SecurityCI/CD Poisoning
L10Registry Metadata SpoofingTool PoisoningUpdate-Channel Spoofing
L11Environment Variable Injection via MCP ConfigSupply Chain SecurityConfig Injection & Bridge Supply Chain
L12Build Artifact TamperingCode VulnerabilitiesOpenAPI / Spec Field Injection
L13Build Credential File TheftSupply Chain SecurityCI/CD Poisoning
L14Hidden Entry Point MismatchSupply Chain SecurityManifest & Entry-Point Confusion
L15Update Notification SpoofingTool PoisoningBehavior Drift
L2Malicious Build Plugin InjectionCode VulnerabilitiesOpenAPI / Spec Field Injection
L3Dockerfile Base Image Supply Chain RiskSupply Chain SecurityRegistry & Distribution Substitution
L4MCP Config File Code InjectionSupply Chain SecurityManifest & Entry-Point Confusion
L5Package Manifest Confusion IndicatorsSupply Chain SecurityManifest & Entry-Point Confusion
L6Config Directory Symlink AttackSupply Chain SecurityRegistry & Distribution Substitution
L7Transitive MCP Server DelegationSupply Chain SecurityManifest & Entry-Point Confusion
L8Version Rollback / Downgrade AttackSupply Chain SecurityRegistry & Distribution Substitution
L9CI/CD Secret Exfiltration PatternsSupply Chain SecurityCI/CD Poisoning
M2TokenBreak Boundary ManipulationModel ManipulationTokenizer Boundary Attacks
M6Progressive Context Poisoning EnablersHuman OversightTool-Position & Progressive Poisoning
M7Tool Response Structure BombDenial of ServiceResponse Payload Amplification
M8Inference Cost AmplificationDenial of ServiceInference Cost Amplification
M9Model-Specific System Prompt ExtractionModel ManipulationReasoning Extraction
N1JSON-RPC Batch Request AbuseProtocol & TransportJSON-RPC Batching & Flooding
N10Incomplete Handshake Denial of ServiceProtocol & TransportJSON-RPC Batching & Flooding
N11Protocol Version Downgrade AttackProtocol & TransportProtocol Version & Method Confusion
N12Resource Subscription Content MutationPrompt InjectionIndirect Gateway Injection
N13HTTP Chunked Transfer SmugglingProtocol & TransportStreaming & Session Hijacking
N14Trust-On-First-Use Bypass (TOFU)Authentication & IdentitySession & Transport Security
N15JSON-RPC Method Name ConfusionProtocol & TransportProtocol Version & Method Confusion
N2JSON-RPC Notification FloodingProtocol & TransportJSON-RPC Batching & Flooding
N3JSON-RPC Request ID CollisionProtocol & TransportJSON-RPC Batching & Flooding
N4JSON-RPC Error Object InjectionPrompt InjectionProtocol-Surface Injection
N5Capability Downgrade DeceptionProtocol & TransportProtocol Version & Method Confusion
N6SSE Reconnection HijackingProtocol & TransportStreaming & Session Hijacking
N7Progress Token Prediction and InjectionProtocol & TransportStreaming & Session Hijacking
N8Cancellation Race ConditionProtocol & TransportJSON-RPC Batching & Flooding
N9MCP Logging Protocol InjectionPrompt InjectionContext & Trust Manipulation
O10Privacy-Violating TelemetryData ExfiltrationCovert Channels
O4Clipboard and UI Exfiltration InjectionData ExfiltrationTrust-Boundary Data Flow
O5Environment Variable HarvestingData ExfiltrationCovert Channels
O6Server Fingerprinting via Error ResponsesData ExfiltrationCovert Channels
O8Timing-Based Covert ChannelData ExfiltrationCovert Channels
O9Ambient Credential ExploitationData ExfiltrationCovert Channels
P1Docker Socket Mount in ContainerContainer & RuntimeContainer Escape Vectors
P10Host Network Mode and Missing Egress ControlsContainer & RuntimeHost Mount & Network
P2Dangerous Container CapabilitiesContainer & RuntimeContainer Escape Vectors
P3Cloud Metadata Service AccessContainer & RuntimeCloud Metadata Access
P4TLS Certificate Validation BypassContainer & RuntimeTLS & Crypto Misconfig
P5Secrets Exposed in Container Build LayersSupply Chain SecurityRegistry & Distribution Substitution
P6LD_PRELOAD and Shared Library HijackingContainer & RuntimeContainer Escape Vectors
P7Sensitive Host Filesystem MountContainer & RuntimeHost Mount & Network
P8Insecure Cryptographic Mode or Static IV/NonceContainer & RuntimeTLS & Crypto Misconfig
P9Missing Container Resource LimitsDenial of ServiceContainer Resource Exhaustion
Q13MCP Bridge Package Supply Chain AttackSupply Chain SecurityConfig Injection & Bridge Supply Chain
Q15A2A/MCP Protocol Boundary ConfusionHuman OversightTrust-Delegation Confusion
Q3Localhost MCP Service HijackingProtocol & TransportLocalhost & Concurrency Hijack
Q4IDE MCP Configuration InjectionSupply Chain SecurityConfig Injection & Bridge Supply Chain
Q7Desktop Extension Privilege ChainContainer & RuntimePrivileged Roots & Extensions

Tested cleanly

Prompt Injection24 rules tested cleanly
Tool Poisoning17 rules tested cleanly
Data Exfiltration15 rules tested cleanly
Authentication & Identity9 rules tested cleanly
Supply Chain Security23 rules tested cleanly
Human Oversight6 rules tested cleanly
Audit & Logging5 rules tested cleanly
Multi-Agent Security1 rule tested cleanly
Protocol & Transport15 rules tested cleanly
Denial of Service7 rules tested cleanly
Container & Runtime10 rules tested cleanly
Model Manipulation8 rules tested cleanly