WebMCP Mid-Session Tool Injection (MSTI) — Third-Party Scripts Can Hijack or Frame Agent Tools During Live Sessions via WebMCP Protocol

Researchers from National Chiao Tung University/National Yang Ming Chiao Tung University (Taiwan) identified a new attack class — Mid-Session Tool Injection (MSTI) — against the emerging WebMCP protocol, which allows websites to expose structured tools directly to AI agents. Unlike traditional MCP where tool sets are static, WebMCP supports dynamic tool registration within a session. Attackers who can inject third-party scripts into a WebMCP session can execute two distinct sub-attacks: Tool Hijacking, which modifies the set of tools visible to the agent using the AbortSignal API or race conditions during tool registration; and Tool Framing, which manipulates an agent's perception of tool roles by poisoning metadata fields (tool name, description, readOnlyHint, inputSchema). The paper demonstrates that both techniques can successfully redirect agent task execution toward malicious outcomes.

Attacker injects a malicious third-party script into a WebMCP-enabled web session. The script races against legitimate tool registration or exploits the AbortSignal API to substitute malicious tools for legitimate ones, or modifies tool metadata to cause the agent to treat a malicious tool as safe and task-appropriate. No direct access to the agent's host system is required — the attack surface is the dynamic tool registration layer itself.

AI agents using the WebMCP protocol to interact with web content; affects any agent runtime that trusts WebMCP tool registrations from third-party script sources. Tests conducted against three SOTA LLMs. Degree of real-world exposure depends on WebMCP adoption rate, which is early-stage but growing.

Mitigations proposed by the authors: (1) bind tool identity to its origin domain, preventing cross-origin tool substitution; (2) enforce lifecycle consistency — tool registrations should not be modifiable mid-session after initial consent; (3) enforce data boundaries for third-party tool scopes; (4) maintain traceable logs of all tool registration and invocation events. Organisations deploying WebMCP-enabled agents should audit tool registration trust models before production deployment.