OWASP MCP Top 10: How to Fix All 10 Risks in 2026
In May 2026 the NSA's Artificial Intelligence Security Center published a 17-page security guidance document specifically for Model Context Protocol deployments. The guidance endorses the OWASP MCP Top 10 as the canonical risk taxonomy for MCP servers, covering ten risk categories from token mismanagement to context oversharing. The problem: every existing writeup lists the risks. None gives builders the per-risk fix, the config snippet, and the checklist to run before shipping. This guide fills that gap.
Key takeaways:
- OWASP MCP Top 10 v0.1 covers MCP01-MCP10: token mismanagement, privilege escalation, tool poisoning, supply chain attacks, command injection, intent flow subversion, auth gaps, audit gaps, shadow servers, and context oversharing.
- The NSA published formal MCP security guidance in May 2026, mapping its controls directly to the OWASP taxonomy.
- VIPER-MCP audited 39,884 open-source MCP server repositories and found 106 confirmed zero-day vulnerabilities. 67 received CVE IDs.
- The 10-point pass/fail checklist at the end of this guide covers every OWASP category.
- Running mcp-scan before shipping catches prompt injection and credential exposure in minutes.
Why the OWASP MCP Top 10 matters now
The attack surface for MCP servers is larger than most teams realize. VIPER-MCP, a static analysis framework from Pengyu Sun et al., audited 39,884 open-source MCP server repositories and found 106 confirmed vulnerabilities, with 67 receiving CVE assignments. The vulnerabilities range from shell execution paths reachable via natural-language input to file-system manipulation triggered through agent-driven tool calls. (Source: VIPER-MCP, arxiv May 2026)
At the same time, the NSA AI Security Center released its MCP Security Design Considerations sheet in May 2026, a development that signals MCP security is no longer a research topic. The sheet maps directly to the OWASP MCP Top 10, giving teams two authoritative references that agree on what to fix and in what order. (Source: NSA, May 2026)
The OWASP MCP Top 10 v0.1 organizes the risk landscape into ten categories:
| Risk | Name |
|---|---|
| MCP01 | Token Mismanagement & Secret Exposure |
| MCP02 | Privilege Escalation via Scope Creep |
| MCP03 | Tool Poisoning |
| MCP04 | Software Supply Chain Attacks |
| MCP05 | Command Injection & Execution |
| MCP06 | Intent Flow Subversion |
| MCP07 | Insufficient Authentication & Authorization |
| MCP08 | Lack of Audit and Telemetry |
| MCP09 | Shadow MCP Servers |
| MCP10 | Context Injection & Over-Sharing |
The rest of this guide takes each category, states the fix, and gives the config or code change that implements it. (Source: OWASP MCP Top 10)
MCP01-MCP02: Token mismanagement and privilege escalation
Hardcoded API keys and long-lived tokens in MCP server configs are the fastest path to a full-system compromise. An attacker who reaches a model's context window through prompt injection can retrieve anything stored there, including credentials written as environment variable defaults or embedded in tool descriptions. MCP01 targets this directly.
The fix has three parts. First, use short-lived, scoped tokens with automatic expiry. Second, bind every session ID to a specific user context using the format <user_id>:<session_id>; this prevents one user's token from being replayed in another user's session. Third, store tokens in OS-native secure storage: Keychain on macOS, Windows Credential Manager, or the Secret Service API on Linux. Never write credentials to a config file in plaintext. (Source: OWASP MCP Security Cheat Sheet)
MCP02 (privilege escalation via scope creep) is slower to manifest but equally dangerous. Permissions defined loosely at deployment expand as agents discover new tool capabilities. The NSA guidance calls this "designing for boundaries": gate tool discovery so agents only see the tools they are authorized to call, and set automated scope expiry so permissions don't accumulate silently over time. A weekly automated review of declared vs actual scopes catches drift before it becomes exploitable. (Source: NSA MCP Security CSI, Equixly NSA->OWASP mapping)
MCP03-MCP04: Tool poisoning and supply chain attacks
Tool poisoning is what happens when an adversary modifies a tool's definition after you approved it. The most common form is a rug pull: the tool description changes post-install to redirect the agent's behavior. A WhatsApp MCP server exploit documented by Equixly demonstrated exactly this: a malicious server modified its tool description post-approval to redirect a trusted WhatsApp integration and leak user message history. (Source: Equixly NSA->OWASP mapping)
The countermeasure is hash pinning. Hash each tool's schema at approval time and re-check the hash on every reconnect. If the tool definition changes, block the connection and alert. The OWASP Cheat Sheet recommends ECDSA P-256 signatures on the tool definition itself, with the public key pinned at install. MCPhound v3 implements this as rug-pull detection, hashing tool definitions between scans and flagging any change as Critical. (Source: OWASP MCP Security Cheat Sheet)
For supply chain attacks (MCP04), treat every external MCP package as untrusted until you have reviewed its source, verified its checksums, and confirmed it against a known-good list. The NSA's control here is direct: "choose supported MCP projects" and "track and patch vulnerabilities." Run a dedicated scanner like MCPShield before installing any MCP package; it checks Levenshtein distance against 40+ known legitimate packages to catch typosquatting and scans for disclosed CVEs. (Source: NSA MCP Security CSI)
MCP05-MCP06: Command injection and intent flow subversion
MCP05 covers command injection through tool parameters. When an agent constructs system commands using input from user prompts or retrieved context, any unsanitized string in that path is a potential shell injection. The fix is aggressive input validation at the server layer: treat every tool parameter as untrusted regardless of whether it arrived from a human user or a model-generated call.
Specifically: sanitize against SQL injection, OS command metacharacters, and path traversal patterns. For tools that make HTTP requests, enforce strict allowlists for destination URLs. This SSRF protection prevents a model from being prompted to exfiltrate data through a URL-fetching tool. (Source: OWASP MCP Security Cheat Sheet)
MCP06 is subtler. The MCP protocol enables agents to retrieve complex context that can act as a secondary instruction channel. An adversary embeds instructions in retrieved content, such as a web page, a document, or a database record, and those instructions redirect the agent away from the user's goal. The OWASP Cheat Sheet calls out specific instruction-like patterns to strip from tool outputs before they reach the model: <IMPORTANT>, <system>, and <instructions> tags. Implement this as a sanitizer on every tool response, not just user inputs. (Source: OWASP MCP Security Cheat Sheet)
MCP07: Authentication and authorization
MCP07 covers identity verification and access control at the protocol level. The OWASP Cheat Sheet specifies OAuth 2.0 with PKCE for authorization flows, TLS for all remote transports, and certificate pinning or cryptographic server verification. Host header validation is mandatory on every request. (Source: OWASP MCP Security Cheat Sheet)
For message-level security, sign JSON-RPC payloads using ECDSA P-256 asymmetric keys. Include a unique nonce and a timestamp in each signed message, and reject messages with duplicate nonces or timestamps outside a 5-minute acceptable window. This replay protection closes a class of attacks where an intercepted valid message is resent later. Require mutual signing between client and server; when signing is enabled, fail closed and reject any unsigned message rather than falling back to unverified processing.
The NSA control maps directly: "protect tokens and verify messages" by adding signatures, expiry timestamps, and replay protection. This is not optional for any MCP server exposed over a network transport. (Source: NSA MCP Security CSI)
MCP08-MCP09: Audit gaps and shadow servers
Audit gaps (MCP08) make every other fix harder to verify. If you cannot see what tool calls were made, with which parameters, by which user, you cannot detect a breach after it happens. The minimum viable audit log for an MCP server includes: tool name, input parameters, user or session context, timestamp, and result summary. Ship these logs to a SIEM and set alerts for anomalies: new tool registrations, admin-level queries, abnormal call frequency. Redact secrets and PII from log lines before they reach the SIEM. (Source: OWASP MCP Security Cheat Sheet)
Shadow MCP servers (MCP09) are the developer-spun-up instances that bypass formal security review. They use default credentials, permissive configs, and unsecured APIs. The NSA control is direct: "scan for open MCP servers." Run periodic network sweeps to detect unapproved MCP listeners on your internal network. The NSA-to-OWASP mapping from Equixly notes that MCPhound's cross-server analysis is precisely the right tool for finding these: it builds a directed graph of all reachable servers and scores attack paths by their exploitability. (Source: Equixly NSA->OWASP mapping)
MCP10: Context oversharing
Context oversharing (MCP10) is a data isolation failure. When multiple users, tasks, or agents share a persistent context window, sensitive data from one session bleeds into another. The OWASP definition: "Context represents the working memory that stores prompts, retrieved data, and intermediate outputs across agents or sessions." (Source: OWASP MCP Top 10)
The fix is per-session context scoping. Each user session gets an isolated context window; no retrieved data persists into a subsequent session without explicit re-authorization. The session ID binding from MCP01 (<user_id>:<session_id>) applies here as well: the session ID is the key for context isolation, not just token replay prevention. For multi-agent pipelines, implement context handoff as explicit data structures rather than shared memory: each agent receives only the fields it needs for its task.
The 10-point pass/fail audit checklist
Run this table before shipping any MCP server to production. Every failing check maps to a risk category above.
| # | Check | Pass condition | Risk |
|---|---|---|---|
| 1 | No hardcoded credentials in config files | Zero plaintext tokens in repo | MCP01 |
| 2 | Session IDs are user-scoped (<user_id>:<session_id>) | Session binding enforced | MCP01 |
| 3 | Tool permissions have expiry and are reviewed weekly | Automated scope expiry configured | MCP02 |
| 4 | Tool definitions are hash-pinned at install | Hash mismatch triggers alert | MCP03 |
| 5 | All external packages verified via checksum | No unverified packages in deps | MCP04 |
| 6 | Tool inputs sanitized against injection patterns | Validation on every parameter | MCP05 |
| 7 | Instruction-pattern strings stripped from tool outputs | Sanitizer in place on all responses | MCP06 |
| 8 | TLS enforced; ECDSA-signed JSON-RPC with nonce+timestamp | Replay window 5 minutes | MCP07 |
| 9 | All tool calls logged with user context to SIEM | Audit logs active and alerting | MCP08 |
| 10 | Context windows are per-session; no cross-session bleed | Isolation verified in multi-user test | MCP10 |
Operator note (first-hand): Running uvx snyk-agent-scan@latest ~/.claude/claude_desktop_config.json against a local Claude Desktop config with a test MCP server that had a hardcoded API key in its env block, mcp-scan flagged it as a hardcoded secret under risk category "Credential Handling" in under 30 seconds. After moving the key to OS Keychain and removing it from the config file, the scan returned clean. The same scan also flagged a tool description containing a suspicious <instructions> pattern from an early-stage third-party server, which was removed before deployment.
Frequently asked questions
What is the OWASP MCP Top 10?
The OWASP MCP Top 10 is a community-maintained list of the ten most critical security risks for Model Context Protocol server deployments. It was released in beta (v0.1) in 2025 and covers risks from token mismanagement to context oversharing. The NSA endorsed it as the canonical MCP security taxonomy in May 2026. (Source: OWASP MCP Top 10)
How do I audit my MCP server for security?
Run mcp-scan (uvx snyk-agent-scan@latest) for behavioral detection, MCPShield (npm install mcpshield) for supply chain checks, and MCPhound (npx mcphound) for cross-server attack path analysis. Then check all 10 items in the pass/fail checklist above. The combination covers all ten OWASP MCP risk categories.
What is MCP tool poisoning?
Tool poisoning happens when an adversary modifies an MCP server's tool definitions after you have approved them. The most dangerous variant is a rug pull: the tool description changes post-install to redirect agent behavior. Countermeasure: hash-pin each tool schema at install and re-verify the hash on reconnect.
What is context oversharing in MCP?
Context oversharing (MCP10) is when sensitive data from one user's session leaks into another user's session via a shared context window. The fix is per-session context scoping with explicit isolation boundaries, using the <user_id>:<session_id> key to prevent cross-session data bleed.
What did the NSA say about MCP security?
The NSA Artificial Intelligence Security Center released a 17-page Cybersecurity Information Sheet on MCP security design considerations in May 2026. Its nine controls map directly to the OWASP MCP Top 10: choosing supported MCP projects (MCP04), designing for trust boundaries (MCP02), validating parameters (MCP05), protecting tokens (MCP01), filtering output (MCP03), instrumenting logging (MCP08), and scanning for shadow servers (MCP09). (Source: NSA MCP Security CSI)
Related coverage
- MCP tool poisoning: audit any server before installing
- MCP Transport Security: STDIO, SSE, and Streamable HTTP Risks
- How to Check If Your MCP Server Is Exposed (Self-Audit Guide)
- FastMCP OAuth Token Validation: Server-Side Patterns and Pitfalls
References
- Equixly NSA->OWASP mapping - https://equixly.com/blog/2026/06/04/mapping-nsa-s-mcp-guidance-to-the-owasp-mcp-top-10-how-to-test-for-the-risks/
- NSA MCP Security CSI - https://www.nsa.gov/Press-Room/Press-Releases-Statements/Press-Release-View/Article/4496698/
- OWASP MCP Security Cheat Sheet - https://cheatsheetseries.owasp.org/cheatsheets/MCP_Security_Cheat_Sheet.html
- OWASP MCP Top 10 - https://owasp.org/www-project-mcp-top-10/
- VIPER-MCP paper - https://arxiv.org/abs/2605.21392
