Bonus 3: Most Common Configuration Mistakes in Real Deployments
Bonus 3: Most Common Configuration Mistakes in Real Deployments
Based on incident reviews and red team simulations, the following misconfigurations expose MCP servers to preventable risks.
| Misconfiguration | Risk Description | Exploitation Vector |
| World-writable tool folders (chmod 777) | Allows attackers or misbehaving agents to replace tools with rogue code | RCE via tool overwrite |
| Prompt caching without encryption | Previous prompts (including sensitive data) readable in memory or disk | Confidentiality breach |
| No rate limiting on LLM calls | Allows DoS or cost abuse by looping workflows | Billing flood, resource starvation |
| Public exposure without auth | Anyone can call MCP endpoints, invoke tools, and receive outputs | Full system takeover |
| Shared memory/volume for agents | Allows task leakage or prompt collision across unrelated agents | Context poisoning |
Best Practices for Secure Configuration:
- Use read-only mounted tool paths and sign tool archives with SHA256
- Enable encryption-at-rest (e.g., AES-256) for prompt/result cache
- Define per-user, per-model quota policies
- Never expose MCP endpoints to 0.0.0.0 without at least mutual TLS and token-based auth
- Apply Linux namespaces (unshare, cgroup, seccomp) per agent container