Model Context Protocol Threat Modeling and Analyzing Vulnerabilities to Prompt Injection with Tool Poisoning

Charoes Huang; Xin Huang; Ngoc Phu Tran; Amin Milani Fard

arXiv:2603.22489·cs.CR·March 25, 2026

Model Context Protocol Threat Modeling and Analyzing Vulnerabilities to Prompt Injection with Tool Poisoning

Charoes Huang, Xin Huang, Ngoc Phu Tran, Amin Milani Fard

PDF

Open Access

TL;DR

This paper analyzes security vulnerabilities in the Model Context Protocol (MCP), especially tool poisoning, and proposes a multi-layered defense strategy to enhance client-side security in AI tool integrations.

Contribution

It provides a comprehensive threat modeling of MCP, identifies tool poisoning as a major vulnerability, and offers empirical evaluation and mitigation strategies for securing MCP implementations.

Findings

01

Most MCP clients lack sufficient static validation against tool poisoning.

02

Tool poisoning significantly impacts client security and integrity.

03

Proposed defenses improve detection and mitigation of malicious tool metadata.

Abstract

The Model Context Protocol (MCP) has rapidly emerged as a universal standard for connecting AI assistants to external tools and data sources. While MCP simplifies integration between AI applications and various services, it introduces significant security vulnerabilities, particularly on the client side. In this work we conduct threat modelings of MCP implementations using STRIDE (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege) and DREAD (Damage, Reproducibility, Exploitability, Affected Users, Discoverability) frameworks across five key components: (1) MCP Host and Client, (2) LLM, (3) MCP Server, (4) External Data Stores, and (5) Authorization Server. This comprehensive analysis reveals tool poisoning-where malicious instructions are embedded in tool metadata-as the most prevalent and impactful client-side vulnerability. We…

Peer Reviews

No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.

Videos

No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.

Taxonomy

TopicsSecurity and Verification in Computing · Mobile Agent-Based Network Management · Web Application Security Vulnerabilities