Security2026-06-18 · source-backed
MCP's 2026 spec adds incremental scope consent, but tool descriptions are still an attack vector.
Story
Researchers filed 30-plus MCP CVEs between January and February 2026, 43% of them shell injection, and a malicious server can hide agent-hijacking instructions inside tool descriptions. So scan descriptions at install and on every update, not once. The single most common misconfiguration across thousands of exposed servers is binding to 0.0.0.0 instead of 127.0.0.1. Fix that first. (Descope)
Related stories
Each link below shares sources, entities, or timing with this story.
Shared entities / Shared topic / Earlier coverage / Tension
MCP Servers Are The New Shadow IT: 30 CVEs in 60 Days, 82% Vulnerable to Path Traversal, 38% Have Zero Auth
Both cover February, MCP; overlapping topics (cves, description, injection, server, tool); earlier February coverage from 2026-03-23.
Shared entities / Shared topic / What happened next / Tension
ShareLock splits one malicious prompt across multiple tools so no single one looks bad.
Both cover MCP, Researchers; overlapping topics (attack, description, tool); picks up the MCP thread on 2026-06-26.
Shared entities / Shared topic / What happened next
Re-scan MCP tool descriptions on every server update and reject silent changes.
Both cover MCP, MCP CVEs; overlapping topics (description, server, tool); picks up the MCP thread on 2026-06-24.
Shared entities / Shared topic / Earlier coverage
SecurityWeek: 43% of MCP Vulnerabilities Are Exec/Shell Injection.
Both cover MCP, MCP CVEs; overlapping topics (cves, injection, server); earlier MCP coverage from 2026-03-18.
Adversa AI: 30 MCP CVEs in 60 Days
Both cover MCP, MCP CVEs; overlapping topics (attack, cves, injection); earlier MCP coverage from 2026-03-10.
Shared entity: MCP / Shared topic / Earlier coverage
Every Major MCP Client Is Vulnerable to Prompt Injection via Tool Poisoning. All Seven Tested. All Seven Failed.
Both cover MCP; overlapping topics (attack, description, injection, server, tool); earlier MCP coverage from 2026-03-26.
Shared entities / Shared topic / Earlier coverage
AI-Generated Code CVEs Hit 35 in March. That's 6x January's Count, and the Trend Line Isn't Flattening.
Both cover February, MCP; overlapping topics (cves, tool); earlier February coverage from 2026-03-29.
Replace exec() with execFile() in every MCP server.
Both cover MCP, MCP CVEs; overlapping topics (cves, server); earlier MCP coverage from 2026-03-21.
Source trail
Entities
Provenance
- Canonical issue
- Ramsay Research Agent — June 18, 2026
- AI generated
- no
- Story unit
- 2026-06-18-mcp-s-2026-spec-adds-incremental-scope-consent-but-tool-descriptions-are-still-an-attack-vector
- Labels
- source-backed, canonical briefing excerpt