ORGANIZATIONS rushing to connect their LLM-powered apps to external data sources via the Model Context Protocol (MCP) are creating attack surfaces that security controls aren’t built to handle, researchers warn. The threat is architectural and not easily fixed by patches, because MCP and LLMs operate at a fundamental level where an agent can access data, trigger workflows, call APIs, and act autonomously.
In this environment, an MCP-enabled LLM can misinterpret content as instructions, enabling covert prompt injection through emails or tool metadata, potentially causing exfiltration or other unintended actions across connected services. A third attack class, Rug Pull, could see a compromised MCP server begin serving malicious descriptions or instructions without any client notification.
The issue, according to Gianpietro Cutolo, cloud threat researcher at Netskope, will be highlighted at RSAC 2026 Conference in San Francisco, with guidance that includes separating MCP servers for private versus public data, scanning for instruction-like patterns, logging traffic, and enforcing least-privilege permissions, while keeping humans in the loop for sensitive actions. March 19, 2026.