threat intelligence

MCP Threat Observatory

The first public tracker of Model Context Protocol security threats in OSS AI repositories. Updated continuously. April 2026.

9
OWASP MCP risks catalogued
35%
of AI repos with agent config exposure
2
active CVEs tracked
47
agent security findings in benchmark
CVE-2025-59536 ACTIVE CVE-2026-21852 ACTIVE
Threat Status Board — OWASP MCP Top 10
MCP01 Covered
Prompt Injection / Jailbreak
Steering docs committed to repo can be modified to hijack AI agent behaviour.
Info 7 repos flagged
MCP02 Covered
Insecure Authentication
API keys and bearer tokens hardcoded in MCP server config files. CVE-2025-59536.
Critical 4 repos flagged
MCP03 Covered
Excessive Permission
enableAllProjectMcpServers=true or non-empty alwaysAllow grants blanket tool access. CVE-2026-21852.
Critical / High 7 repos flagged
MCP04 Detection Pending
Confused Deputy
Agent acts on behalf of attacker by being tricked into performing unintended actions.
High Requires runtime analysis
MCP05 Covered
Insecure Data Handling
Steering docs contain internal architecture context, credentials, and operational procedures.
Info 7 repos flagged
MCP06 Detection Pending
Insufficient Logging
Agent actions not captured in audit trail; no tamper-evident log of tool invocations.
Medium Requires runtime config
MCP07 Covered
Insecure Configuration
Hardcoded IPs, absolute paths, and missing .gitignore entries in agent config files.
High / Medium 11 repos flagged
MCP08 Detection Pending
SSRF via MCP
MCP server URL fields pointing to internal network endpoints, exploitable for SSRF.
High URL validation in progress
MCP09 Covered
Broken Access Control
Agent config files in public repos publish full MCP server topology and permission model.
Info 7 repos flagged
MCP10 Partial
Supply Chain
Compromised MCP server packages in npm/pip, or malicious servers injected via config.
Critical Package resolution in progress
Live Findings — 20 Repository Benchmark Scan
Repo MCP Risk Finding Severity DC Clause Receipt

Scan data: ticketyboo-scanner v1 · April 2026 · 20 OSS AI repositories · DC-v1-default DevContract

Anatomy of an MCP Supply Chain Attack

Based on CVE-2025-59536 and CVE-2026-21852 attack vectors — Check Point Research, April 2026

MALICIOUS REPO git clone DEVELOPER OPENS PROJECT auto-load AGENT CONFIG PARSED before trust MCP SERVERS AUTO-ACTIVATED CVE-2026-21852 full access FILESYSTEM / ENV SSH EXPOSED API KEYS GONE malicious .claude/ settings.json no user prompt before activation enableAllProject McpServers: true all tools active before trust prompt local process permissions RCE + exfil
Active CVEs
CVE-2025-59536
RCE via Malicious Claude Code Project Files
PublishedApril 2026 — Check Point Research
CVSS Score9.1 Critical
AffectedClaude Code — untrusted repositories
MechanismMalicious .claude/ config triggers RCE and API key exfiltration before Workspace Trust prompt
StatusPatched — Claude Code 1.x
ScannerMCP02 — agent config credential check
CVE-2026-21852
enableAllProjectMcpServers Auto-Activation
PublishedApril 2026 — Anthropic Security Advisory
CVSS Score8.8 High
AffectedClaude Code with enableAllProjectMcpServers: true
MechanismAll project MCP servers activated on clone — before user consent. Full filesystem, env, SSH access.
StatusPatched — default changed to false
ScannerMCP03 — enableAllProjectMcpServers check
OWASP MCP Top 10 — Reference

Scan your repo for MCP security risks

The ticketyboo scanner checks every agent config file against the OWASP MCP Top 10. Free for public repositories. Development Receipt included.

Scan a repo → Read the methodology →