MCP (Model Context Protocol) has 77k+ stars and is becoming the standard way AI agents connect to tools. We audited both official SDKs (TypeScript and Python) at the source code level and found three classes of boundary-crossing vulnerabilities.

All three confirmed with live PoC exploits using the SDK's real auth components (BearerAuthBackend, RequireAuthMiddleware, TokenVerifier).

Findings:

1. Tool Capability Shadowing — tool names are flat strings with no namespace or origin tracking. If two servers register "read_data", one silently wins. We validated against gpt-5-nano: the model made path traversal and credential exfiltration tool calls that would route to an attacker's shadow server. 10/10 genuine, 0% FP.

2. Token Audience Confusion — verify_token() takes one parameter: the token string. No expected audience. A read-only token for Server A works on Server B's admin_delete endpoint. This isn't an implementation bug — it's a gap in the SDK interface. Every MCP server built on these SDKs inherits this.

3. Stale Authorization — no push invalidation mechanism. Revoked tokens accepted for the full cache TTL. Scope downgrades invisible until cache expires. In production with 5-minute caches, that's a 5-minute window. JWT-only validation (no introspection) is worse: no revocation possible until the token itself expires (hours to days).

The combined chain: enumerate tools (no namespace isolation) → shadow a tool (silent routing) → escalate privileges (cross-server token) → persist after detection (cache TTL).

Additional finding: smaller models are dramatically more exploitable. gpt-5-nano: 100% genuine rate on tool abuse. gpt-5.2: ~45%. The model most likely used in cost-sensitive deployments is the most vulnerable to attacks the architecture fails to prevent.

What's well-implemented: filesystem path validation, git injection prevention, OAuth 2.1 with PKCE, tool input validation. The vulnerabilities are in the boundaries between servers.

Total cost of all scanner runs: $2.83.

Full report: https://tachyonicai.com/blog/mcp-security-audit/ Taxonomy (open source, 122 attacks): https://github.com/tachyonicai/tachyonic-heuristics