The Model Context Protocol (MCP), a key technology for AI agents adopted by giants like OpenAI, Microsoft, and AWS, contains critical security vulnerabilities, a new report reveals. Published by security firm Backslash Security, the research details flaws like “NeighborJack,” which exposes servers on local networks.
It also found OS injection risks that could let attackers control host systems. The protocol’s widespread use creates a significant new attack surface for the entire agentic AI ecosystem. In response, Backslash has launched a public security hub to help developers assess risk.
This news highlights an urgent challenge for the fast-growing AI industry, which has rapidly embraced MCP as a standard for agentic interoperability.
A Universal Protocol Meets a Critical Flaw
The Model Context Protocol first emerged in November 2024, introduced by Anthropic to solve a nagging problem in AI development. As Anthropic explained at the time, “Every new data source requires its own custom implementation, making truly connected systems difficult to scale.” The goal was to create a universal language for AI models to connect with external tools, replacing bespoke integrations.
The idea was a resounding success. In a matter of months, the industry’s biggest players, including Microsoft for Azure AI, AWS with its own open-source servers, and OpenAI, announced support. Google DeepMind CEO Demis Hassabis praised it, stating, “MCP is a good protocol and it’s rapidly becoming an open standard for the AI agentic era.”
But this rapid standardization, while boosting development, has now exposed a shared, fragile foundation. The Backslash Security report, which analyzed thousands of publicly available MCP servers, found a startling number were dangerously misconfigured or carelessly built.
‘NeighborJack’ and the Risk of a ‘Toxic Combination’
The most common weakness, found in hundreds of cases, has been dubbed “NeighborJack.” According to the report, these vulnerable MCP servers were explicitly bound to all network interfaces (0.0.0.0). This simple but critical misconfiguration makes them “MCP servers that were explicitly bound to all network interfaces (0.0.0.0), making them accessible to anyone on the same local network.”, as noted by Backslash Security.
This opens the door for anyone from a coworker in a shared office to an attacker on a public Wi-Fi network to access and potentially manipulate the MCP server. The second major vulnerability involves “Excessive Permissions & OS Injection.”
Dozens of servers were found to permit arbitrary command execution on the host machine. This flaw stems from careless coding practices, such as a lack of input sanitization when passing commands to a system shell. The real-world risk is severe.
As Backslash Security stated in its findings, “The MCP server can access the host that runs the MCP and potentially allow a remote user to control your operating system.” The researchers warn that when these two flaws are present on the same server, the result is a “critical toxic combination.” The report cautions, “When network exposure meets excessive permissions, you get the perfect storm.”, allowing a malicious actor to take full control of the host.
An Industry-Wide Blind Spot and Previous Warnings
The security implications are magnified by MCP’s swift and broad adoption. The protocol is being integrated deep into developer workflows, from Microsoft’s VS Code to OpenAI’s Responses API. This widespread integration means a vulnerability in the protocol is not an isolated issue but a systemic risk.
Disturbingly, this is not the first red flag regarding MCP’s security architecture. In May, security firm Invariant Labs discovered a critical vulnerability in GitHub’s popular MCP server. Dubbed the “Toxic Agent Flow,” the exploit allowed an AI agent to be tricked into leaking private repository data.
The attack worked by planting malicious instructions in a public GitHub issue, which the agent would then execute. Technology analyst Simon Willison analyzed the exploit, calling the situation “a lethal trifecta for prompt injection: the AI agent has access to private data, is exposed to malicious instructions, and can exfiltrate information.” This earlier incident highlighted that the way agents interact with untrusted data is a fundamental weak point.
These repeated warnings suggest the industry’s race to build powerful, autonomous agents has outpaced the development of the robust security frameworks needed to control them. The focus has been on capability, not necessarily on the security of the connective tissue.
Mitigation Efforts and the MCP Security Hub
In response to its findings, Backslash Security has taken a proactive step by launching the MCP Server Security Hub. This platform is the first publicly searchable security database dedicated to MCP servers, scoring them based on their risk posture and detailing potential weaknesses.
The firm, via its press release, urges developers to check the hub before using any public MCP server. Backslash also provides several recommendations for developers building their own MCP tools.
These include validating all external inputs, restricting filesystem access, and preferring more secure transport methods like stdio for local tools instead of exposing them over a network. Other experts see this as part of a larger issue with the fragile trust layer of AI.
The promise of a standardized protocol like MCP remains powerful. However, these security revelations serve as a critical wake-up call. For MCP to become the secure “USB-C port for AI” that its creators envisioned, the industry must now shift its focus from rapid adoption to building a more resilient and secure agentic ecosystem.
