MCP-38: A Comprehensive Threat Taxonomy for Model Context Protocol Systems (v1.0)

TL;DR

This paper introduces MCP-38, a detailed threat taxonomy specifically for Model Context Protocol systems, addressing unique attack vectors not covered by existing frameworks, and supporting automated threat intelligence.

Contribution

It develops a comprehensive, protocol-specific threat taxonomy for MCP, systematically derived and mapped to established threat frameworks, filling a critical gap in security coverage.

Findings

38 threat categories identified for MCP systems

Addresses semantic attack surface threats like prompt injection

Provides foundation for automated threat intelligence platforms

Abstract

The Model Context Protocol (MCP) introduces a structurally distinct attack surface that existing threat frameworks, designed for traditional software systems or generic LLM deployments, do not adequately cover. This paper presents MCP-38, a protocol-specific threat taxonomy consisting of 38 threat categories (MCP-01 through MCP-38). The taxonomy was derived through a systematic four-phase methodology: protocol decomposition, multi-framework cross-mapping, real-world incident synthesis, and remediation-surface categorization. Each category is mapped to STRIDE, OWASP Top 10 for LLM Applications (2025, LLM01--LLM10), and the OWASP Top 10 for Agentic Applications (2026, ASI01--ASI10). MCP-38 addresses critical threats arising from MCP's semantic attack surface (tool description poisoning, indirect prompt injection, parasitic tool chaining, and dynamic trust violations), none of which are adequately captured by prior work. MCP-38 provides the definitional and empirical foundation for automated threat intelligence platforms.