A critical vulnerability dubbed ContextCrush has been disclosed in Context7 MCP Server, a widely used tool for delivering documentation to AI coding assistants, exposing a trusted documentation channel to attacker‑driven instructions. The flaw stems from the platform’s Custom Rules feature, which allowed AI-specific guidance to slip through unfiltered, meaning attackers could inject malicious rules into the documentation registry and have them distributed to developers’ AI tools via Context7’s infrastructure.
In testing, researchers from Noma Labs demonstrated a poisoned library entry that could direct an AI assistant to locate sensitive .env files, transmit them to an attacker‑controlled repository and then delete local files, all while appearing as legitimate documentation. The attackers would not need direct interaction with a victim system, highlighting an inherent trust problem in MCP server architectures and the risk of user‑generated content becoming executable instructions for AI agents.
Following disclosure on 18 February 2026, Upstash began remediation the next day and deployed a fix on 23 February 2026, introducing rule sanitisation and additional safeguards; there is no evidence that the flaw was exploited in real‑world attacks.