Overview
Model Context Protocol (MCP) servers are increasingly being adopted in enterprise AI applications to expose controlled tools and internal business functions to LLM-powered clients. These MCP tools often provide direct access to workflows, client context, operational data, and application capabilities.
In secure deployments, MCP servers are expected to be consumed only through authorized MCP clients embedded within approved enterprise AI interfaces, with access governed by user roles and feature entitlements.
During recent security assessments, some of the most impactful vulnerabilities have been observed not at the prompt layer, but at the protocol and connectivity layer — specifically around unauthorized and unauthenticated MCP server connections.
Intended Architecture
In the expected design:
- The enterprise application exposes internal capabilities through the MCP server
- Connections for MCP server that expose tools with sensitive data require authenticated connectivity
- Connections are allowed solely from approved MCP clients within the enterprise AI interface
- MCP access is enabled only for specific user roles and subscription tiers
The intended architecture involves two major implementation layers – authentication as the first layer of MCP connectivity + authorization of an MCP host/client as a bridge between the user and MCP server.
Commonly Identified Vulnerabilities
Unauthorized and unauthenticated MCP connectivity is emerging as one of the most impactful vulnerability classes in MCP-based enterprise AI deployments, as it bypasses both application-layer controls and traditional authorization boundaries.
An unauthenticated MCP server effectively allows external entities to invoke available tools directly, resulting in immediate leakage of sensitive business or client information. Moreover, based on the designed MCP tools, it might even allow to invoke tools that trigger unintended actions impacting the confidentiality, integrity as well as the availability of applications.
Moreover, it has also been observed that the MCP Server accepts connections from any MCP host, including third-party LLM clients such as Claude Desktop or locally hosted LLM application.
A client user could obtain a valid application access token and establish an MCP connection outside the intended enterprise AI interface, thereby accessing MCP tools through an unauthorized MCP host.
This results in an Unauthorized LLM MCP Bridge, bypassing the platform’s intended feature restrictions.
Security Impact
This vulnerability introduces multiple risks:
- Unauthenticated access to the MCP server leads to extraction of sensitive data or even performance of unintended actions based on the designed MCP tools
- Client users can access MCP tool capabilities through a side door even when LLM access is explicitly denied for them
- Third-party MCP clients can invoke MCP tools and receive sensitive business or client data that can be used for fine-tuning/training LLM without enterprise consent
- Other insecure MCP servers connected to the same MCP client can lead to rug-pulling, inter-tool poisoning attacks
- Feature and subscription controls can be bypassed, leading to unauthorized usage and potential financial loss
Recommended Mitigation
The MCP server must enforce proper authentication as well as client-level, user-level authorization, not just token validation. Key remediation steps include:
- Allow only authenticated MCP connections to Enterprise MCP servers (unless it is a MCP server for public use)
- Allow MCP connections only from authorized MCP hosts/clients
- Apply IP whitelisting / network restrictions so only approved enterprise hosts can connect
- Bind MCP tool access to user-type entitlements and role policies
- Monitor for unexpected MCP client connection attempts
Conclusion
MCP servers should be treated as privileged enterprise APIs. Without strict client validation, they can become unintended external access paths into internal application tools and data.
Securing MCP deployments requires enforcing authentication, authorization, trusted MCP clients, network segmentation, and entitlement-aware tool authorization.