Researchers Compile Top 25 MCP Vulnerabilities

Specialists from Adversa have published an analysis of the top 25 vulnerabilities of the Model Context Protocol (MCP). The researchers describe this work as “the most comprehensive analysis of MCP vulnerabilities to date.”

What MCP Is—and Why It Matters

The Model Context Protocol (MCP), developed by Anthropic and released as an open standard in 2024, provides a consistent method for connecting data sources with AI tools in a secure and accountable way. It defines how AI agents interact with tools, other agents, data, and context.

Like any other software, MCP is not immune to weaknesses. As we discussed in a separate article, vulnerabilities in the protocol could be exploited by malicious actors.

Adversa’s Contribution vs. OWASP’s Future List

OWASP is already preparing its own top 10 list of MCP issues, but that project is still underway. Adversa stresses that its work is not an attempt to compete with OWASP but to give immediate guidance to companies building agent-based AI solutions today.

“We will map to OWASP/CSA/NIST where appropriate and also plan to contribute to OWASP’s work on MCP as it formalizes,” the researchers said.

How the Ranking Works

The Adversa table assigns each vulnerability:

• an “official” name (plus common aliases),
• an impact assessment,
• an exploitability rating, and
• links to additional sources.

Impact ranges from Critical (full system compromise or remote code execution) to Low (information disclosure only). Exploitability runs from Trivial (possible with basic knowledge and browser access) to Very Hard (theoretical attacks requiring state-level resources).

The final ranking is calculated using an algorithm that weighs:

• 40% severity of consequences
• 30% ease of exploitation
• 20% prevalence
• 10% difficulty of remediation

Unsurprisingly, prompt injection ranked first, combining critical consequences with ease of exploitation. At the other end, the MCP Preference Manipulation Attack (MPMA) placed 24th due to its minimal impact and high difficulty of exploitation.

Updates and Sources

“The document will be updated every month or as new incidents and CVEs requiring urgent updates emerge,” said Adversa AI co-founder and CTO Alex Polyakov in comments to SecurityWeek.

For now, links in the report point to the initial vulnerability descriptions, but the team plans to replace these with “higher-quality sources as they become available.”

Defense and Mitigation Guidance

Adversa’s report goes beyond listing risks. It also includes a structured playbook with:

• Immediate measures
• A multi-layered defense strategy
• A mitigation timeline

Immediate priorities include mandatory input validation, since 43% of MCP servers remain vulnerable to command injection. “Validate and sanitize ALL incoming data,” the experts warn.

The defense strategy spans four layers:

1. Protocol (e.g., mandatory TLS for all connections)
2. Application (e.g., parameterized database queries)
3. AI-specific protection
4. Infrastructure

The mitigation timeline covers three months:

• Immediate: implement authentication on all open endpoints
• Within 1 month: harden input validation and patch known issues
• By month 3: redesign architecture toward a zero-trust model