MCP Attack Atlas: 40+ AI Agent Attack Patterns Catalogued to Combat Model Context Protocol Vulnerabilities
Key Takeaways
- ▸40+ verified attack patterns against MCP-enabled AI agents catalogued across 14 attack families, with two patterns matching published CVEs
- ▸All documented patterns verified through multi-agent audit with citations to external references or internal fixtures, avoiding unsubstantiated security claims
- ▸Top 10 featured patterns include emoji homoglyph evasion, context window reset poisoning, tool metadata directive bleed, and memory rehydration poisoning, each paired with specific technical defenses
Summary
Sunglasses Open Research has released the MCP Attack Atlas, a comprehensive open catalogue documenting 40+ verified attack patterns against AI agents using the Model Context Protocol (MCP). The atlas organizes these attack vectors across 14 families, ranging from emoji homoglyph policy evasion to memory eviction rehydration poisoning, with each pattern including attack descriptions, test fixtures, and detection approaches. The research represents a rigorous security documentation effort, with all patterns verified through multi-agent audit and tied to either published CVEs, external references, or internal test corpora—explicitly rejecting unsubstantiated claims.
Two patterns identified in the atlas correlate with real published vulnerabilities (CVE-2026-40159 and GHSA-pj2r-f9mw-vrcq), while the remainder have been observed in internal testing or flagged as hypothetical threats. Featured attack patterns include context window reset poisoning, tool docstring directive bleed, approval hash collision, decision trace forgery, and multi-stage encoding camouflage. The atlas emphasizes practical defenses for each pattern, such as dual-view hash integrity checks, domain-separated approval hash binding, and canonicalization through full decode chains.
- Open catalogue provides defenders with structured threat taxonomy and actionable mitigations for securing AI agents using the Model Context Protocol
Editorial Opinion
The MCP Attack Atlas sets a commendable standard for security research transparency by explicitly rejecting benchmark theater and unverified claims—a posture that raises the bar for the entire AI security community. By grounding each pattern in either real CVEs, peer-reviewed references, or reproducible fixtures, and pairing attacks with concrete defenses, Sunglasses has created a genuinely useful resource for both offensive and defensive research. This work is particularly timely as MCP adoption accelerates; organizations deploying MCP-based agents now have a structured methodology to threat-model their deployments rather than discovering vulnerabilities in production.
