Real-World MCP Server Vulnerabilities
Real-World MCP Server Vulnerabilities
These examples illustrate how MCP servers can introduce significant security risks that need careful consideration in deployment and monitoring strategies.
Asana MCP Server Flaw
In June 2025, Asana discovered a security flaw in its experimental Model Context Protocol (MCP) server which is a feature designed to let AI agents interact with enterprise data using natural language. The bug, found a month after launch, could have potentially exposed data from one organization to users in another.
Asana took the MCP server offline for nearly two weeks (June 5–17) to patch the issue, later confirming that all connections had been reset and customers would need to reconnect manually. While there’s no evidence of exploitation, the company acknowledged the risk in a disclosure to affected users.
This incident underscores the importance of strong tenant isolation, least-privilege access, and full query logging when integrating LLMs into enterprise tools, especially in beta environments.
GitHub MCP Server Vulnerability
According to Invariant, a critical vulnerability in the popular GitHub MCP integration that allows attackers to hijack AI agents using malicious GitHub Issues was discovered. The exploit, enabled by prompt injection, can coerce an agent into leaking sensitive data from a user’s private repositories into public ones without any direct compromise of the tools themselves.
The attack requires only a public repo accepting issues and a connected private repo. If the user queries their AI agent (e.g., via Claude Desktop) to check issues, the malicious payload is executed. Invariant demonstrated how an agent could autonomously create a pull request in the public repo containing leaked private data including project names, personal plans, and salary info.
This marks one of the first real-world examples of a “toxic agent flow,” where trusted tools act on malicious prompts. It’s a timely warning as coding agents and AI-powered IDEs gain traction. Invariant recommends stronger input validation, least-privilege access, and automated threat modeling to mitigate such emerging risks.
In another research, Invariant has uncovered several critical vulnerabilities affecting popular MCP clients and servers, including those used by OpenAI, Anthropic, Zapier, and Cursor. These real-world cases expose how agents can be manipulated into leaking data, overriding user intent, or behaving maliciously without the user ever realizing it. Below are three concrete examples that illustrate the severity of the problem.