Public story · 2026-06-30 · high
MCP tool poisoning fires silently on every call
The fix: snapshot tool descriptions at install, then diff them against what's served on every later call.
Why now: CVE-2025-54136 is a month old as of the June 30 briefing, and the metadata-you-never-recheck pattern it exposed applies to any MCP server already sitting in your config.
Story
Tool poisoning hides malicious instructions inside the metadata an agent reads before it executes anything, a flaw OX Security disclosed in May as CVE-2025-54136. It fires silently on every call a tool makes, not just the risky-looking ones, which makes it the sharpest attack against agent tool use right now.
Most teams running MCP servers approve a tool once, read its description, and never look again. A gateway that only checks permissions at approval time won't catch a description someone edited after you said yes. The agent still reads the new text on every call, and nothing in a standard approval flow flags that it changed.
The fix is mechanical: snapshot every tool description your MCP servers serve at install, then diff that snapshot against what gets served on every later call. Any wording delta gets flagged for a human to check before the agent acts on it.
Most people running MCP integrations right now have never diffed a tool description after the first install, so this gap is probably open on every server you've already approved. Watch for MCP clients to start shipping that diff by default. Until they do, it's on you to build it.
CVE-2025-54136 is a month old, and the metadata-you-never-recheck pattern it describes applies to any MCP server already sitting in your config.
Related stories
Each link below shares sources, entities, or timing with this story.
Shared entity: CVE / Same source / Earlier coverage
CVE-2026-46519: access-control bypass in mcp-server-kubernetes, CVSS 8.8, patched in 3.6.0.
Both cover CVE; cite the same source (CVE-2025-54136); earlier CVE coverage from 2026-06-12.
CVE-2026-30615: prompt-injection RCE in Windsurf 1.9544.26.
Both cover CVE; cite the same source (CVE-2025-54136); earlier CVE coverage from 2026-06-09.
Shared entity: CVE / Same source domain / Shared topic / Earlier coverage
43% of MCP Servers Vulnerable to Command Execution — 8 Confirmed Incidents This Month
Both cover CVE; reported by the same outlet (adversa.ai); overlapping topics (agent, tool).
Shared entity: CVE / Shared topic / Earlier coverage
The Agent Security Crisis Is Here: 36% of ClawHub Skills Malicious, 30+ MCP CVEs, RCE in Microsoft Agent Framework
Both cover CVE; overlapping topics (agent, alone, attack, audit); earlier CVE coverage from 2026-03-05.
Shared entity: CVE / Shared topic / Earlier coverage / Tension
MCP Servers Are The New Shadow IT: 30 CVEs in 60 Days, 82% Vulnerable to Path Traversal, 38% Have Zero Auth
Both cover CVE; overlapping topics (description, tool); earlier CVE coverage from 2026-03-23.
Two Named CVEs Turn Claude Code Project Files Into Attack Weapons
Both cover CVE; overlapping topics (agent, attack); earlier CVE coverage from 2026-03-20.
Shared entity: CVE / Shared topic / Earlier coverage
CVE-2026-22708 weaponized `git branch` inside Cursor's allowlist.
Both cover CVE; overlapping topics (agent, attack, audit); earlier CVE coverage from 2026-06-23.
AI-Generated Code CVEs Hit 35 in March. That's 6x January's Count, and the Trend Line Isn't Flattening.
Both cover CVE; overlapping topics (agent, audit, tool); earlier CVE coverage from 2026-03-29.
Source trail
Entities
Claim evidence
- MCP tool poisoning fires silently on every call
Provenance
- Canonical issue
- 2026-06-30
- AI generated
- yes
- Story unit
- 2026-06-30-audit-mcp-tools-by-diffing-their-metadata-not-just-gating-them
- Labels
- source-backed, canonical briefing excerpt