Fetching from the wire…
Top 5 · 2026-07-11 · source-backed
The single biggest cross-agent story this week isn't one CVE. It's that MCP became the dominant agent-hijack surface, and this is the defense that actually stops it.
The pattern across a dozen findings: Sentry's MCP server weaponized via fake error events for an 85% agent-hijack rate, a scan of 10,000+ real MCP servers leaking secrets at over 10%, GhostApproval defeating human-in-the-loop across 6 coding agents, and Langflow becoming the first agent platform on CISA's KEV after attackers exfiltrated OpenAI, Anthropic, and AWS keys within 20 hours of disclosure. Every one of these is a confused-deputy attack. A token or context minted for one purpose gets replayed against another.
The defensive pattern that keeps surfacing: encode tool-level scope claims directly into the token, then verify the caller's scope against the specific tool being invoked before any handler logic runs. Not "check permissions somewhere inside the handler." A gate at the very top of each tool handler, keyed to that tool's scope claim, so a token minted for a read tool fails closed when replayed against a write or admin tool.
Say that back plainly: your read token should be physically incapable of calling your delete tool, and that check happens before line one of the delete handler executes. Most MCP servers today derive permissions at runtime inside the handler, which means the vulnerable code has already started running by the time authorization is considered. That ordering is the whole bug class.
I like this as the lead security story precisely because it's not another scare CVE. It's a copy-paste mitigation. Fail-closed, tool-scoped tokens, verified at the handler boundary. Pair it with treating every MCP tool output as untrusted input, even from vendors you trust, since the Sentry attack rode in through a legitimate observability integration, not a malicious server.
If you ship or run an MCP server this week, this is the change: move authorization to a gate at the top of each handler, scoped to that exact tool. Everything else in the security section below is why.
Each link below shares sources, entities, or timing with this story.
AWS partners with Anthropic / Shared entities / Same source
Linked by a graph relationship (AWS partners with Anthropic); both cover Anthropic, AWS, CISA, CVE; cite the same source (Langflow becoming the first agent platform on CISA's KEV).
Anthropic released MCP / Shared entity: MCP / Same source / Shared topic / Earlier coverage / Tension
Linked by a graph relationship (Anthropic released MCP); both cover MCP; cite the same source (defensive pattern that keeps surfacing).
Anthropic released MCP / Shared entities / Shared topic / Earlier coverage
Linked by a graph relationship (Anthropic released MCP); both cover AWS, CISA, MCP; overlapping topics (against, attack, each, token, tool).
AWS partners with Anthropic / Shared entities / Shared topic / Earlier coverage / Tension
Linked by a graph relationship (AWS partners with Anthropic); both cover AWS, MCP, Most MCP; overlapping topics (against, attack, server).
Anthropic released MCP / Shared entity: MCP / Same source / Shared topic / Earlier coverage / Tension / Downstream implication
Linked by a graph relationship (Anthropic released MCP); both cover MCP; cite the same source (weaponized via fake error events for an 85% agent-hijack rate).
Anthropic released MCP / Shared entities / Same source / Shared topic / Earlier coverage
Linked by a graph relationship (Anthropic released MCP); both cover CVE, MCP; cite the same source (scan of 10,000+ real MCP servers leaking secrets at over 10%).
Anthropic partners with Microsoft / Shared entities / Shared topic / Earlier coverage / Tension
Linked by a graph relationship (Anthropic partners with Microsoft); both cover Anthropic, CVE, MCP; overlapping topics (server, tool).
Anthropic partners with Microsoft / Shared entities / Same source domain / Shared topic / Earlier coverage / Tension
Linked by a graph relationship (Anthropic partners with Microsoft); both cover Langflow, MCP; reported by the same outlet (sysdig.com).