The MCP Vulnerability Wave Is Not Theoretical

Model Context Protocol — the open standard that connects large language models to tools, databases, and external services — has become the connective tissue of enterprise AI automation. It also became 2026's fastest-growing attack surface.

In May 2026, researchers at OX Security disclosed what they described as "the mother of all AI supply chain vulnerabilities": a systemic flaw spanning Anthropic's MCP implementations across Python, TypeScript, Java, and Rust SDKs. Between January and February alone, the security community filed more than 30 CVEs targeting MCP servers, clients, and infrastructure components. By late May, that number exceeded 40.

The vulnerability classes are not exotic. A scan of 7,000+ MCP servers found 36.7% vulnerable to Server-Side Request Forgery — an old attack vector now weaponized against AI agent infrastructure. Transport layer security is absent in a significant share of early deployments, leaving MCP sessions transmitted over plaintext HTTP exposed to interception. Tool poisoning, where crafted tool descriptions manipulate an LLM into selecting the wrong tool and leaking data or executing unauthorized actions, rounds out the top three attack patterns.

What makes this uniquely dangerous for enterprise environments: only 29% of organizations report they are prepared to secure agentic AI deployments. The tools are moving faster than the controls, and the attack surface created by AI agent infrastructure is being actively exploited right now.

How Tool Poisoning Actually Works

Tool poisoning deserves more attention than it typically gets in security briefings because the attack vector is subtle enough to bypass conventional threat modeling. When an AI agent is given access to a set of tools, it reads the tool descriptions to decide which one to call. A malicious actor who can inject or modify a tool description can effectively rewrite the agent's decision logic without touching any application code.

A simple example: an MCP server that provides a file access tool has its description modified to append hidden instructions. The hidden text is invisible in the UI but readable to the LLM, directing it to also exfiltrate the contents of credential files when invoked. Because the agent is acting on the tool description rather than a user instruction, standard DLP policies may not intercept the action. The request looks like normal tool execution.

The mitigation is architectural: tool allowlisting enforced at the orchestration layer, cryptographic signing of tool manifests, and agent execution sandboxing that limits what any single tool call can access. None of these controls are complex. None are default in most MCP deployments.

Kubernetes Token Theft Is Up 282% — And AI Is the Accelerant

The MCP crisis does not exist in isolation. Kubernetes service account token theft surged 282% over the past twelve months, with the IT sector absorbing 78% of targeted attacks. The attack chain is increasingly AI assisted: threat actors are using LLMs to automate credential harvesting and transition from a compromised developer environment to full cloud administration access in under 72 hours by abusing OpenID Connect trust relationships between CI/CD pipelines and cloud platforms.

Google Cloud's H1 2026 Threat Horizons Report confirms the pattern: most cloud incidents originate not from software exploits but from misgoverned identities — excessive IAM permissions, long lived credentials, and overly permissive service accounts. When an AI agent operates with a service account that holds administrator-level cloud permissions, a single prompt injection or tool poisoning attack converts that agent into a persistent threat actor operating through your legitimate APIs.

The attack surface compounds. Agentic AI workflows chain multiple MCP tools — file access, code execution, API calls, database reads — in a single automated sequence. A successful tool poisoning attack does not compromise one step; it can compromise the entire chain. The blast radius of a single compromised AI agent is orders of magnitude larger than a compromised human user account, because the agent operates at machine speed and with broader system access than any single employee would have.

The Authentication Gap in Agentic AI

One of the structural weaknesses in current MCP deployments is the assumption that authentication at the human layer is sufficient. An employee authenticates to their IDE or enterprise AI platform. The AI agent then receives a delegated credential and makes downstream calls on that user's behalf. In most implementations, there is no additional authentication step at the MCP transport layer, no rate limiting on tool invocations, and no anomaly detection for agent behavior patterns.

This creates a specific attack scenario that security teams have not historically modeled: a fully authenticated agent acting on a fully authenticated user's session, executing actions that are individually plausible but collectively represent data exfiltration or unauthorized system modification. The individual tool calls pass authentication. The aggregate behavior represents a breach. Detecting it requires behavioral monitoring at the agent execution layer, not just perimeter authentication.

The organizations managing this risk effectively are building dedicated observability for agent execution: logging every tool call with its parameters, building baselines for normal agent behavior, and alerting on deviations such as unusual call volumes, calls to unexpected endpoints, or tool invocations that do not match the task context. This is not complex engineering. It is the same behavioral monitoring pattern that works in human user activity analysis, applied to a new principal type.

Concurrent: SharePoint RCE and the Patching Pressure

Microsoft patched CVE-2026-45659 this month — a remote code execution vulnerability in SharePoint with a CVSS score of 8.8, exploitable without specialized conditions. For enterprises running hybrid Microsoft environments alongside AI automation workflows, the combination represents a broad attack surface: legacy collaboration infrastructure on one side, unprotected agentic AI pipelines on the other.

Palo Alto Networks' May patch advisories noted that the majority of newly discovered findings resulted from frontier AI models scanning vendor code — a signal that AI assisted vulnerability discovery is accelerating disclosure timelines and compressing the window between patch release and active exploitation. The defenders who move fastest from disclosure to patched production are the ones who avoid the breach that follows.

What Executives Must Do Before Q3

Audit every MCP server in your environment this week. Catalog which models connect to which tools, which service accounts those tools use, and what permissions those accounts hold. The exposure you cannot see is the exposure that will be exploited.

Enforce TLS on all MCP transport layers immediately. Plaintext MCP is not a misconfiguration to defer — it is an open channel that any network observer can read.

Implement tool allowlisting. Agents should only be able to call explicitly approved tools. Dynamic tool registration without validation is the primary vector for tool poisoning attacks.

Add behavioral monitoring at the agent execution layer. Log every tool call, build a baseline, and alert on volume anomalies or unexpected endpoint calls. The investment is small and the detection value is high.

Rotate Kubernetes service account tokens and audit OIDC trust relationships. The 282% surge in token theft is targeting exactly the long lived, over-permissioned credentials that most organizations have not reviewed since initial cluster deployment.

Apply CVE-2026-45659 patches now. SharePoint RCE with a CVSS of 8.8 and no exploitation prerequisites warrants emergency-change-window treatment, not next-cycle scheduling.

Why Most Enterprise MCP Security Reviews Have Not Happened Yet

The gap between the scale of MCP deployment and the security review activity around it is not unique to this vulnerability class. It follows the standard pattern of enterprise security catching up to enterprise adoption. The pattern is familiar: a new technology gets deployed because it delivers clear business value, the security review process does not move as fast as the adoption, and the window between deployment and security review is where exploitation happens.

With MCP, the adoption curve has been unusually steep because the productivity gains from AI agent tooling are visible and immediate. A developer who installs an MCP server for their IDE gets tangible value the first day. The security implications of that MCP server's access to the developer's file system, the organization's code repositories, and potentially the internal APIs the developer is authenticated to — those implications are not visible and not immediate. They are background risk accumulating while the productivity benefit is captured in the foreground.

The organizations that will avoid MCP breach headlines are the ones that treat this as an architectural review, not a patch cycle. The questions are not "is this specific CVE patched?" but "which AI agents are running in this environment, what are they connected to, and what are the blast radius implications if any one of them is compromised?" Those questions require a different type of review than a vulnerability scanner provides, and they need to happen at the design and deployment stage, not after the fact.

How ITSulu Can Help

ITSulu's AI Network Automation and Automated Kubernetes Operations practices work directly at this intersection: AI agents operating inside Kubernetes clusters with cloud API access. The MCP vulnerability landscape is not a future concern for clients running agentic automation today — it is an active exposure that requires structured review now.

We incorporate MCP security audits, service account permission reviews, tool allowlist enforcement, and agent behavioral monitoring into every AI automation engagement as baseline deliverables. If your organization has deployed AI agents and has not yet conducted a structured MCP security review, that review is overdue. The threat surface is real, measurable, and being actively exploited.

Contact ITSulu today to schedule an MCP security assessment and AI automation architecture review.