Skills
Cloudflare Ships Shadow MCP Detection in Gateway: JSON-RPC Body Inspection Catches Unauthorized MCP Servers Even Without Telltale URIs
During Agents Week 2026, Cloudflare added rules to Cloudflare Gateway that detect unauthorized remote MCP servers by inspecting JSON-RPC body fields (method values like 'tools/call', 'prompts/get', 'initialize'). DLP-based body inspection catches MCP traffic even when URIs don't contain '/mcp' or '/sse'. Shadow MCP — employees connecting unsanctioned MCP servers to AI tools — is emerging as the 2026 equivalent of shadow AI. The detection pairs with new MCP Server Portals that place Cloudflare Access (SSO + MFA) in front of every authorized MCP server.
Source
↳ Follow the thread