MCP Attack Matrix

Attackers compromise MCP-connected tools to manipulate agent behavior, extract context, or return malicious outputs.

Malicious inputs trick agents into skipping validation steps and jumping directly to sensitive tool execution.

Malicious or unauthorized tools impersonate legitimate ones to hijack execution within MCP-based workflows.

LLMs misinterpret untrusted tool responses as prompts, allowing attackers to influence or control model behavior.

LLMs invoke backend actions they should not, due to missing or bypassed authorization checks.

Backends change tool behavior mid-session, breaking trust assumptions and enabling unexpected execution paths.

Weak or misconfigured auth in tool APIs allows attackers to impersonate users or escalate privileges.

Attackers probe LLM-connected servers or replay tool calls to uncover internal services and abuse logic.

Secrets like API keys or tokens leak through prompts, memory, logs, or tool responses.

Attackers manipulate long-term memory to inject persistent prompts or bias future actions.

LLMs reveal internal or sensitive data in responses when tool boundaries or filters fail.

Agents leave open connections vulnerable to data leaks, hijacking, or unauthorized access during tool streaming.

Agents or tools accept unsafe inputs that lead to downstream vulnerabilities or unexpected behavior.

Untrusted content from tools, files, or APIs is interpreted as instructions, leading to unwanted model behavior.

Attackers exploit conditional logic in agents to trigger sensitive tools under manipulated contexts.

Untrusted inputs from files, APIs, or tools indirectly trigger harmful behavior inside the LLM.

Attackers rapidly trigger tool invocations, overwhelming infrastructure or bypassing usage controls.