← Back to Blog

MCP Security Is Broken

The Hermetic Project ·
securitymcpcvecredential-isolationai-agents

Reading time: ~10 minutes

Three CVEs. One major breach. One week. The Model Context Protocol is spreading faster than the security practices needed to deploy it safely.

This isn't a story about bad developers. It's a story about a protocol designed for capability that left containment as an exercise for the reader.

What Happened This Week

Monday: CVE-2026-33032 — MCPwn

A CVSS 9.8 vulnerability in nginx-ui, an open-source web management interface for Nginx. The researcher who found it gave it a name that says everything: MCPwn.

nginx-ui added MCP integration to let AI agents manage Nginx servers. They exposed two endpoints:

The problem: the default IP whitelist is empty. The middleware interprets an empty whitelist as "allow all."

An attacker sends two HTTP requests. The first establishes a session. The second invokes any MCP tool — restart Nginx, rewrite configs, intercept traffic. Full server takeover in approximately four seconds.

The fix was 27 characters of missing middleware. Actively exploited in the wild. Roughly 2,600 instances exposed on the public internet.

Wednesday: CVE-2026-27825 and CVE-2026-27826 — MCPwnfluence

Two more MCP vulnerabilities, this time in the Atlassian MCP server. Unauthenticated remote code execution from the local network. The researchers called it MCPwnfluence.

Same pattern. Different product. Same root cause.

Saturday: The Vercel Breach

Vercel disclosed a security incident that started with Context.ai, a third-party AI productivity tool. A Context.ai employee was compromised with Lumma Stealer malware. The attackers moved from Context.ai's AWS environment to OAuth tokens to a Vercel employee's Google Workspace to Vercel's internal systems.

The defense that worked: environment variables flagged "sensitive" were encrypted at rest. The attacker couldn't read them.

The defense that didn't: most environment variables weren't flagged. They sat readable to anything with internal access. The default was plaintext. Sensitive was opt-in.

Vercel has since changed the default: new environment variables are now created as "sensitive." One boolean default change that would have contained the entire breach.

The Pattern

These aren't isolated incidents. They share one architectural flaw.

MCP gives AI agents the ability to invoke tools. Those tools inherit the application's full capabilities — restart servers, modify configurations, read credentials, execute code. But when developers add MCP endpoints to existing applications, the security controls that protect the application's normal interfaces don't automatically extend to the MCP surface.

The researcher who found MCPwn described it precisely: when you bolt MCP onto an existing application, the MCP endpoints inherit the application's full capabilities but not necessarily its security controls.

The MCP specification defines a protocol for capability. It does not define a security boundary.

Authentication? Implementation detail. Authorization? Implementation detail. Credential isolation? Not addressed. Process identity verification? Not in the spec.

The result: every MCP server reinvents security differently. Most get it wrong.

The Credential Question

Every credential system answers one question: what process sees plaintext, and for how long?

The Vercel breach showed what happens at the boundary. Variables marked "sensitive" — encrypted at rest — survived. Everything else was readable.

The architectural fix isn't better passwords or more OAuth scopes. It's reducing the plaintext surface: the smallest possible window, the shortest possible lifetime, the fewest possible processes.

How Credential Isolation Works

A credential broker separates "who holds the credential" from "who uses the result."

Standard model: the agent holds the API key in its environment, constructs an Authorization header, makes the HTTPS call, processes the response. The credential is in the agent's process memory for the entire session.

Brokered model: a daemon holds the credential in an encrypted vault. The agent asks the daemon "call this API." The daemon decrypts the credential, injects it into the HTTPS request, makes the call, zeroizes the credential from memory, returns the response. The agent processes the result. The credential was never in the agent's memory.

If the agent is compromised via prompt injection, the standard model exposes every credential the agent holds. The brokered model exposes nothing — the agent doesn't have the credentials.

Against the MCPwn Attack Chain

Attack step nginx-ui Brokered model
Unauthenticated MCP access Default: allow all Binary attestation on every connection
Session token reuse Works from any process PID-bound tokens with kernel-verified sender identity
Excessive MCP privileges Restart server, modify configs Read-only + brokered API calls only
Credential theft Backup endpoint leaks keys Encrypted vault, no backup API
Network exposure HTTP on all interfaces Unix Domain Socket only, zero network presence

Against the Vercel Pattern

The Vercel breach exploited the gap between "has access" and "needs access." An AI productivity tool had broad OAuth permissions. When the tool was compromised, those permissions became the attacker's permissions.

In a brokered model, the AI agent never holds the credential. It can't be compromised in a way that exposes credentials, because it doesn't have them.

Hermetic: A Credential Broker for AI Agents

We built Hermetic for this problem. It's a local Rust daemon that holds credentials in an AES-256-GCM encrypted vault and makes authenticated HTTP requests on the agent's behalf.

The Community edition is free: 10 secrets, 26 service templates, the full security kernel. Security is never gated by license.

curl -fsSL https://hermeticsys.com/install.sh | sh
hermetic init
hermetic add        # paste any API key — auto-detects the service
hermetic start
hermetic connect    # configure MCP for your agent

The agent uses MCP tools:

Works with Claude Code, Cursor, Windsurf, and any MCP-compatible IDE.

GitHub | Install | AGPL-3.0-or-later

What to Do Today

  1. If you run nginx-ui: Update to version 2.3.4 immediately.
  2. If you deploy on Vercel: Flag every environment variable as "sensitive." Rotate any token that was unflagged before April 19. Check your Google Workspace third-party app permissions.
  3. If you're building MCP integrations: Ask what happens if your MCP endpoint's authentication is bypassed. If the answer is "full application takeover," your MCP surface needs its own security boundary.
  4. If you're an AI agent developer: Consider whether credentials need to be in agent memory at all. The agent doesn't need your API key. It needs the API response.

FAQ

Q: How do I secure API keys when using AI coding agents?
A: Use a credential broker. Instead of storing keys in .env files (readable by any process), a broker daemon holds credentials in an encrypted vault and makes API calls on the agent's behalf. The agent gets the response without ever seeing the key.

Q: What is the MCP security problem?
A: The Model Context Protocol defines how AI agents invoke tools but doesn't define a security boundary. Authentication, authorization, and credential isolation are left to each implementation. Three CVEs in one week showed that most implementations get this wrong.

Q: Does Hermetic work with Claude Code and Cursor?
A: Yes. Hermetic integrates via MCP as a standard MCP server. Run hermetic connect to configure it, then use hermetic_authenticated_request for brokered API calls.

Q: Is the Community edition really free?
A: Yes. 10 secrets, 26 service templates, full security kernel including binary attestation and credential leak scanning. Security is never gated by license.

Hermetic is an open-source, agent-isolated credential broker. The daemon holds secrets; agents never do. hermeticsys.com | GitHub