FILTERING BY: CLEAR FILTER

Indirect Prompt Injection via Model Context Protocol MCP and OpenAPI Specifications

Adversaries are pivoting from direct prompt injection to indirect injection attacks targeting agentic AI systems by poisoning external data sources. By manipulating Model Context Protocol (MCP) tool definitions and OpenAPI/Swagger specifications, attackers embed malicious instructions within metadata fields such as 'description' or 'parameter'. When an AI agent parses this documentation to resolve tool-calling logic, it interprets the embedded payloads as functional requirements. This enables unauthorized tool execution, facilitating sensitive data exfiltration to attacker-controlled callback URLs, privilege escalation, and fraudulent financial transactions, including cryptocurrency payments. This vulnerability fundamentally compromises the security boundary of AI agents utilizing external tool integration and grounding.


LINK COPIED TO CLIPBOARD