← The Wire

Security2026-06-18 · source-backed

MCP's 2026 spec adds incremental scope consent, but tool descriptions are still an attack vector.

Confidence
source-backed
Sources
1
Redaction
passed

Story

Researchers filed 30-plus MCP CVEs between January and February 2026, 43% of them shell injection, and a malicious server can hide agent-hijacking instructions inside tool descriptions. So scan descriptions at install and on every update, not once. The single most common misconfiguration across thousands of exposed servers is binding to 0.0.0.0 instead of 127.0.0.1. Fix that first. (Descope)

Related stories

Each link below shares sources, entities, or timing with this story.

  1. Shared entities / Shared topic / Earlier coverage / Tension

    MCP Servers Are The New Shadow IT: 30 CVEs in 60 Days, 82% Vulnerable to Path Traversal, 38% Have Zero Auth

    Both cover February, MCP; overlapping topics (cves, description, injection, server, tool); earlier February coverage from 2026-03-23.

  2. Shared entities / Shared topic / What happened next / Tension

    ShareLock splits one malicious prompt across multiple tools so no single one looks bad.

    Both cover MCP, Researchers; overlapping topics (attack, description, tool); picks up the MCP thread on 2026-06-26.

  3. Shared entities / Shared topic / What happened next

    Re-scan MCP tool descriptions on every server update and reject silent changes.

    Both cover MCP, MCP CVEs; overlapping topics (description, server, tool); picks up the MCP thread on 2026-06-24.

  4. Shared entities / Shared topic / Earlier coverage

    SecurityWeek: 43% of MCP Vulnerabilities Are Exec/Shell Injection.

    Both cover MCP, MCP CVEs; overlapping topics (cves, injection, server); earlier MCP coverage from 2026-03-18.

  5. Adversa AI: 30 MCP CVEs in 60 Days

    Both cover MCP, MCP CVEs; overlapping topics (attack, cves, injection); earlier MCP coverage from 2026-03-10.

  6. Shared entity: MCP / Shared topic / Earlier coverage

    Every Major MCP Client Is Vulnerable to Prompt Injection via Tool Poisoning. All Seven Tested. All Seven Failed.

    Both cover MCP; overlapping topics (attack, description, injection, server, tool); earlier MCP coverage from 2026-03-26.

  7. Shared entities / Shared topic / Earlier coverage

    AI-Generated Code CVEs Hit 35 in March. That's 6x January's Count, and the Trend Line Isn't Flattening.

    Both cover February, MCP; overlapping topics (cves, tool); earlier February coverage from 2026-03-29.

  8. Replace exec() with execFile() in every MCP server.

    Both cover MCP, MCP CVEs; overlapping topics (cves, server); earlier MCP coverage from 2026-03-21.

Source trail

Entities

Provenance

AI generated
no
Story unit
2026-06-18-mcp-s-2026-spec-adds-incremental-scope-consent-but-tool-descriptions-are-still-an-attack-vector
Labels
source-backed, canonical briefing excerpt