We audited both MCP SDKs – three classes of boundary-crossing vulnerabilities

All three confirmed with live PoC exploits using the SDK's real auth components (BearerAuthBackend, RequireAuthMiddleware, TokenVerifier).

Findings:

1. Tool Capability Shadowing — tool names are flat strings with no namespace or origin tracking. If two servers register "read_data", one silently wins. We validated against gpt-5-nano: the model made path traversal and credential exfiltration tool calls that would route to an attacker's shadow server. 10/10 genuine, 0% FP.

2. Token Audience Confusion — verify_token() takes one parameter: the token string. No expected audience. A read-only token for Server A works on Server B's admin_delete endpoint. This isn't an implementation bug — it's a gap in the SDK interface. Every MCP server built on these SDKs inherits this.

3. Stale Authorization — no push invalidation mechanism. Revoked tokens accepted for the full cache TTL. Scope downgrades invisible until cache expires. In production with 5-minute caches, that's a 5-minute window. JWT-only validation (no introspection) is worse: no revocation possible until the token itself expires (hours to days).

The combined chain: enumerate tools (no namespace isolation) → shadow a tool (silent routing) → escalate privileges (cross-server token) → persist after detection (cache TTL).

Additional finding: smaller models are dramatically more exploitable. gpt-5-nano: 100% genuine rate on tool abuse. gpt-5.2: ~45%. The model most likely used in cost-sensitive deployments is the most vulnerable to attacks the architecture fails to prevent.

What's well-implemented: filesystem path validation, git injection prevention, OAuth 2.1 with PKCE, tool input validation. The vulnerabilities are in the boundaries between servers.

Total cost of all scanner runs: $2.83.

Full report: https://tachyonicai.com/blog/mcp-security-audit/ Taxonomy (open source, 122 attacks): https://github.com/tachyonicai/tachyonic-heuristics