MCP Protocol's Provenance Gap Enables Confused Deputy Attacks on AI Agents
The Model Context Protocol (MCP), which connects large language models to external systems like databases and APIs, contains a structural security flaw known as the 'confused deputy' problem. Because MCP does not cryptographically verify the origin or integrity of tool call results, a model cannot distinguish between trusted and attacker-controlled content entering its context window. Attackers can exploit this by injecting malicious instructions into web pages fetched by the official MCP fetch server, potentially manipulating the model into executing unauthorized actions. The protocol's ToolAnnotations fields, meant to describe tool behavior, are advisory only and can be falsified by a compromised server with no way for clients or models to verify them. This design gap makes indirect prompt injection a practical attack vector against any agentic deployment relying on MCP for external tool access.
This is an AI-generated summary. ShortSingh links to the original source for the complete article.
Discussion (0)
Log in to join the discussion and vote.
Log in