MCP Gateway Security: The Threat Landscape and Defense Playbook for Engineering Teams

Endor Labs analyzed 2,614 MCP server implementations and found that 82 percent expose file operations prone to path traversal, 67 percent surface code injection APIs, and 34 percent carry command injection vectors. Most organizations running AI coding agents have already deployed several of these servers without a gateway enforcement layer between them and production systems.

The Model Context Protocol was introduced by Anthropic in November 2024 and adopted across Cursor, Copilot, Claude Code, and a growing list of enterprise AI platforms within months. The adoption curve outran the security tooling by a wide margin. Every MCP server wired into an AI agent extends that agent's access surface — to databases, code repositories, email, cloud APIs, and production environments. By early 2026, that same surface had become the highest-value attack target in the AI coding stack.

What Vulnerability Research Shows About the Current MCP Ecosystem

By early 2026, public CVE databases had logged over 30 MCP-specific vulnerabilities. The range spans trivial path traversals to critical infrastructure risks. CVE-2026-0755, a CVSS 9.8 command injection flaw in a widely-used MCP tool, allowed unauthenticated remote attackers to execute arbitrary code via unsanitized input passed directly into system calls. CVE-2025-6514, a CVSS 9.6 remote code execution vulnerability in mcp-remote, had been downloaded nearly half a million times before disclosure.

Authentication gaps compound the vulnerability surface. The PipeLab State of MCP Security 2026 report indicates that approximately 41 percent of publicly listed MCP servers carry zero authentication. Servers that do implement authentication often rely on OAuth configurations subject to the confused deputy mispattern — where the MCP server acts with broader privileges than the user who invoked it, effectively escalating access without any explicit authorization step.

The Authzed MCP breach timeline tracks over 50 known vulnerabilities across MCP servers, clients, and infrastructure components, with 13 rated critical. That is the threat inventory for a protocol less than 18 months old — and one for which most enterprise organizations have no dedicated monitoring or inventory control.

The Four Attack Vectors You Need to Model

1. Prompt Injection Through Data Channels

Prompt injection holds the top position on the OWASP Top 10 for LLM Applications 2025 and appears again as the leading threat in the OWASP MCP Top 10 published in 2025. In the MCP context the mechanics differ from classic web injection: an attacker does not need to compromise your server. They need to control any data your AI agent reads — a GitHub issue, a support ticket, a Jira comment, a documentation page. The agent processes that content as context and, without instruction/data separation, executes embedded instructions.

A documented 2025 incident illustrates the blast radius: a Cursor agent running with privileged Supabase service-role database access processed user-supplied support tickets. Attackers embedded SQL instructions in ticket content that caused the agent to read and exfiltrate sensitive integration tokens. The MCP specification only "SHOULD" require a human in the loop for sensitive operations — making prompt injection mitigation an implementation decision rather than a protocol guarantee. Palo Alto Networks Unit 42 published a detailed analysis of novel prompt injection attack vectors specific to MCP sampling, identifying several paths enabled by the protocol's current trust model.

2. Tool Poisoning and Rug Pulls

Tool poisoning attacks embed malicious instructions inside MCP tool descriptions that the AI model reads during function selection, but which are not visible to users approving the action. The three primary sub-techniques are: rug pulls (a trusted package updated post-install with malicious tool descriptions), schema poisoning (corrupting interface definitions to misdirect the model's tool selection), and tool shadowing (registering a duplicate tool that intercepts and alters interactions).

The first confirmed malicious MCP package appeared on public registries in September 2025, according to the Authzed MCP breach timeline. Typosquatting and packages impersonating official servers followed within weeks. Unlike npm typosquatting in traditional software supply chains, a poisoned MCP tool can direct the model to take destructive actions using the agent's existing permissions — no further exploit required.

3. Supply Chain Compromise and Remote Code Execution

The OX Security MCP Supply Chain Advisory documented RCE vulnerabilities across multiple ecosystem components, including cases where a single compromised upstream package exposed multiple downstream enterprise deployments. The distribution model for MCP servers — npm packages, GitHub repositories, and largely unvetted registry listings — mirrors early-era npm and PyPI supply chain patterns, but with a significantly larger blast radius: a compromised MCP server holds read and write access to everything the AI agent is authorized to perform.

The June 2025 Asana incident provides a concrete enterprise example: after launching an MCP-powered feature, a bug caused customer data to bleed across MCP instances for two weeks before the integration was taken offline. No external attacker was required — the blast radius came from the trust model the protocol relies on internally. When the boundary between tenants is a software assumption rather than an enforced control, the failure mode is data exposure at scale.

4. Secrets Leakage in MCP Configuration Files

GitGuardian's 2026 research into AI agent credential exposure found 24,008 unique secrets exposed in MCP configuration files — API keys, database credentials, and service tokens stored in plain text in IDE configuration files such as .cursor/mcp.json and .claude/settings.json. These files are commonly created following setup tutorials that instruct developers to paste credentials directly into the file, and are then committed to version control as part of normal workflow.

GitGuardian also reported that commits co-authored by AI coding tools in 2025 leaked secrets at roughly double the baseline rate — a pattern consistent with agents generating configuration files without applying the secrets hygiene rules developers apply manually. This is not a developer behavior problem. It is a tooling design gap, and it requires enforcement at the commit layer rather than a training intervention.

Why Standard AppSec Controls Miss the Gateway Layer

Most enterprise application security programs were designed for environments where humans write code that calls services under explicit authorization. They were not built for environments where AI agents write code, call services autonomously, and process external data as instruction context. The control gaps that matter most at the MCP gateway layer are structural:

• No standardized audit logging in the MCP protocol — forensic analysis after an incident requires custom gateway instrumentation; the specification provides no native event stream

• No identity propagation — the gateway sees the agent's service account, not the developer or user who triggered the action; attribution for privileged operations is absent by design

• No input validation at the MCP client layer — the protocol does not mandate validation of tool arguments or return values before they are processed by the model

• No tool registry governance — most organizations have no inventory of which MCP servers are deployed, who authorized them, or what permissions each server holds

• Standard SAST and DAST tools analyze code syntax, not behavioral chains — code that passes static analysis can still enable data exfiltration via a prompt injection path the tool never instrumented

A VentureBeat survey found that 88 percent of enterprises reported AI agent security incidents in the past year. The enforcement gap is primarily a visibility and governance problem, not a patching problem. Organizations cannot remediate attack paths they have not inventoried.

The Aikido Security 2026 State of AI in Security and Development report, drawing on responses from 450 CISOs and developers, found that security teams are responding to AI-generated code incidents faster than to traditionally-written code incidents — but that detection tooling lags the threat surface by a significant margin. Speed of response matters less when detection arrives late.

What to Do Now

1. Inventory every MCP server in use. Include IDE plugins (Cursor, Copilot, Claude Code), CI/CD integrations, and any server that processes external data sources. Document the permissions held by each server and the data it accesses. Without an inventory, you cannot scope your exposure or prioritize remediation.

2. Enforce authentication at the gateway layer. Per-server authentication scales poorly and produces inconsistent enforcement. Deploy an MCP gateway proxy as a single enforcement point. Require mTLS or signed bearer tokens; reject all unauthenticated calls at the gateway before they reach any downstream server.

3. Apply strict least privilege per server. Each MCP server should hold only the permissions required for its specific function. Privileged credentials — database admin, production write access, cloud management APIs — must never be available to servers that process untrusted external input.

4. Scan all MCP configuration files for secrets. Extend your secrets-scanning coverage to include .cursor/mcp.json, .claude/settings.json, and equivalent IDE configuration paths. Add these to your pre-commit hooks and CI pipeline. These files are high-yield credential targets because both developers and agents populate them with raw credentials.

5. Treat every external data source as a potential injection vector. Any content the agent reads from GitHub issues, support tickets, email, web pages, or documentation should be handled as untrusted input. Implement instruction/data separation at the prompt construction layer so embedded content cannot be processed as instructions by the model.

6. Require explicit human approval for sensitive tool operations. For any MCP tool that can write, delete, or exfiltrate data, implement a mandatory confirmation step that surfaces the specific tool call and arguments to a human before execution. Do not rely on the agent's own judgment about what counts as sensitive.

7. Audit MCP package integrity on an ongoing basis. Pin package versions, verify hashes against known-good states, and mirror approved packages through a private registry. Monitor approved packages for post-install updates — rug pull attacks depend on organizations trusting packages they reviewed at install time but have not re-reviewed since.

8. Instrument the gateway for audit logging. The MCP protocol provides no native audit log. Until standardized logging is added to the specification, custom instrumentation at the gateway proxy layer is the only mechanism for producing a forensic record of which tool was called, with what arguments, what it returned, and which agent session initiated the call. Without this, post-incident analysis is guesswork.

Re-entry.ai applies pull request risk scoring and governance controls to the code your AI agents produce. The controls described above — access scoping, audit logging, human approval gates for sensitive actions — map to what the platform enforces at the point where AI-generated code enters your repository. If you are building out your MCP security posture, start with what your agents are already committing. See how it works at re-entry.ai.