MCP Security - Small Footprint, Big Consequences
It’s been a little while since I posted in regards to AI and MCP security issues but as with any relatively immature technology security issues continue being found.
I’ll turn my attention first to clawdbot or moltbot as it’s now known. I’m really no sure why anyone would expose passwords and keys to their entire online life to an agentic open source bot but if you do you better have security hardened the installation and be aware of the potential security issues (👉 https://www.theregister.com/2026/01/27/clawdbot_moltbot_security_concerns/).
On the MCP front researchers found:
➡️ Critical flaws in Anthropic’s Git MCP that can be chained with a Filesystem MCP to achieve remote code execution
➡️ A server‑side request forgery (SSRF) vulnerability in Microsoft’s MarkItDown MCP has been disclosed that allows the MCP server to fetch arbitrary URIs reachable from its network context (including cloud instance metadata endpoints). In cloud deployments (i.e. AWS EC2 with IMDSv1 and sufficiently privileged roles), this could enable credential theft and potentially lead to cloud account or resource takeover.
(Further info at 👉 https://www.darkreading.com/application-security/microsoft-anthropic-mcp-servers-risk-takeovers and at https://petri.com/critical-mcp-server-flaws-ai-cloud-rce-attacks/)
Recommended Actions:
1️⃣ Patch: Update Anthropic Git MCP to v2025.12.18+ and apply any vendor updates for MarkItDown or other MCP components.
2️⃣ Harden URI/file fetches: Block or strictly validate allowed URIs and file paths; implement ‘allowlists’ and deny dangerous schemes (file:, http://169.254.169.254, etc.).
3️⃣ Enforce least privilege: Run MCP services with minimal OS/cloud / IAM roles and avoid granting broad filesystem or cloud permissions.
4️⃣ Limit tool chaining: Restrict which MCP tools an agent can call and prevent combinations that enable escalation (e.g., Git + Filesystem).
5️⃣ Harden cloud metadata: Use IMDSv2 (or equivalent) and instance-level protections to block SSRF access to metadata services.
6️⃣ Treat MCP inputs as untrusted: Apply strict input validation, sanitize arguments, and avoid forwarding user-controlled params directly to system commands.
7️⃣ Network controls & egress filtering: Prevent MCP servers from making arbitrary outbound requests; use proxying with inspection and TLS validation.
8️⃣ Monitoring & response: Log MCP calls, alert on unusual patterns (e.g., git_init, remote metadata fetches), and have incident playbooks ready.
9️⃣ Dependency review: Audit third‑party MCP implementations before deployment and subscribe to vendor security advisories.
Apply the patches first, then enforce the configuration and network controls above.