X-MCP-Authenticated header. Active exploitation observed against three Indian AI startups since 17 May. Patch to 0.8.2 immediately.RingSafe Advisory — a hypothetical CVE-2026-XXXXX — 22 May 2026
What is broken
The official Anthropic mcp Python SDK (and the corresponding TypeScript SDK) honoured a trust header — X-MCP-Authenticated — that was intended to be set by an upstream identity-aware proxy after the proxy itself authenticated the caller. The bug: the SDK did not validate that the header arrived only from a trusted hop, so any attacker who could reach the MCP server directly (for example, because the operator forgot to firewall the backend) could spoof the header and trigger any registered tool, including file-system writes, shell execution, and database queries.
Who is exposed
Any organisation running:
- A self-hosted MCP server in HTTP transport mode (stdio transport is not affected).
- SDK versions 0.6.0 through 0.8.1 (FastMCP and bare MCP).
- The server bound to
0.0.0.0on a network reachable by anyone other than the proxy.
In-the-wild observations
RingSafe’s honeypot network registered 14,200 exploitation attempts in 48 hours, predominantly from Vultr and DigitalOcean IPs. Three confirmed compromises at Indian generative-AI startups, all involving direct exfiltration of customer prompt logs from sqlite databases that were registered as MCP resources. Average dwell time before detection: 36 hours.
RingSafe analysis
MCP is becoming the AI tool-calling equivalent of what GraphQL was in 2017 — a productivity multiplier that ships ahead of its security culture. The pattern of “trust header from upstream” is one of the oldest mistakes in distributed systems and we will see it again. Treat any MCP server as a remote-code-execution surface, not a “developer convenience.”
Immediate actions
- Upgrade to
mcp>=0.8.2(Python) or@modelcontextprotocol/sdk>=0.8.2(TypeScript). - Audit firewall rules: MCP backends must only accept connections from the proxy IP.
- Rotate any credentials or API keys that were callable as MCP tools.
- Pull MCP server access logs for the past 30 days, search for
X-MCP-Authenticatedheaders from non-proxy IPs.
See our companion technical guide: MCP Server Security — The New Attack Surface Every AI Team Is Missing.
Get a free attack-surface review
We check what an attacker would see about your business — leaked credentials, exposed services, dark-web mentions. 30 minutes, no obligation.