What happened
Cyberhaven published 'MCP Security: How to Secure MCP Integrations' on 2026-05-29, a detailed practitioner guide covering the six primary MCP security risk categories in enterprise deployments: uncontrolled data access/exfiltration, indirect prompt injection via tool responses, tool poisoning (malicious server misrepresenting tool behavior), excessive privilege and scope creep, authentication gaps with static API keys, and shadow MCP (unsanctioned integrations standing up without security review). The guide provides concrete mitigation steps including MCP server inventory requirements, default read-only posture, least-privilege enforcement, human approval gates for mutating actions, and output sanitization.
Why it matters
Most enterprises deploying MCP servers today have no inventory of what is running, what data it touches, or what permissions it holds — Cyberhaven's own telemetry shows this is a live, unmanaged exposure. The guide is notable because it explicitly names MCP tool-call architecture as 'a clean delivery path' for indirect prompt injection attacks and identifies multi-agent environments (where one agent orchestrates others) as especially exposed to tool poisoning via compromised downstream servers. This framing gives security teams precise language to take to engineering and product leadership.
Action needed
Use Cyberhaven's six-category risk taxonomy as the basis for an MCP security review in any enterprise environment running AI agents — start with an inventory scan (Cisco mcp-scanner on GitHub is a free starting point), then apply default read-only permissions and mandate human approval checkpoints for any tool call that modifies data or triggers external actions.