On June 16, 2025, Asana notified potentially affected customers–anyone with a user who used the MCP server that an MCP bug was identified. Asana took the server offline and resolved the code issue. They wrote: “Our incident responders and engineering teams acted immediately. As soon as the vulnerability was discovered on June 4, we took the MCP server down to investigate, contain the issue and prevent any further potential exposure. The bug in our code was then promptly resolved.”

What the Heck is MCP, and Why Is It So Important?

In the bustling digital metropolis of Multi-Agent AI systems, there’s one humble but powerful protocol sitting at the control tower: MCP – Model Context Protocol.

Think of MCP as the air traffic controller of AI agents. It enables context sharing between agents and models, ensuring that the left hand (say, an LLM-based planning agent) knows what the right hand (maybe a tool-using retriever agent) is doing.

But here’s the catch: if the MCP server is compromised, your agents could start hallucinating like they’ve had a bad day at Burning Man. 

What Can Go Wrong? Risks Lurking Around MCP Servers

Let’s break down the “MCP Risk Bingo” – every square is a potential breach waiting to happen:

Why Securing MCP Servers Is Like Putting Pants on Your Agents

Let’s get real — agents without secure context boundaries are like toddlers with a secret clearance. They might wander off, overshare, or worse, become a puppet for malicious intent.

If your MCP server gets popped:

  • Your agent-based AI system becomes inconsistent or hostile.
  • Your brand trust takes a nosedive (remember when someone fine-tuned a model to shout profanities in customer support?).
  • Your compliance posture collapses — if GDPR had a middle name, it’d be “Context Control.”

Recommendations: Making Your MCP Server Less Hackable Than Fort Knox

Here’s your security professional’s checklist, with just enough spice to make your CISO smile:

  1. Zero Trust, Always Verify – Ensure mutual auth between agents and MCP. Use short-lived JWTs or mTLS. No more “trust me, bro” tokens.
  2. Contextual Access Control – Not all agents need all the context. Apply the principle of least privilege like it’s gospel.
  3. Context Integrity & Signing – Sign and verify context payloads. If someone changes the message, it should scream “tampering” louder than a siren.
  4. Encrypted in Transit and At Rest – No, base64 isn’t encryption. Use AES-256 and TLS 1.3. Period.
  5. Context Auditing and Anomaly Detection – Ever see an agent request the same context 3000 times at midnight? Yeah, that’s a red flag. Log and watch.
  6. Rate Limiting & DoS Protections – MCP should not become the new public REST API endpoint from 2010. Throttle requests. Use circuit breakers.
  7. Red Teaming MCP with Agent Scenarios – Simulate malicious agents. Can they trick the MCP? Can they retrieve more than they should? If yes, back to the drawing board.

Looking Ahead: MCP Security = Future of AI Security

MCP Security isn’t just about patching holes. It’s about shaping how agentic systems interact responsibly.

  • In enterprise AI, where agents coordinate procurement, IT support, or compliance — an insecure MCP is an insider threat vector.
  • In consumer AI, where agents plan your calendar or chat with your kids — you better know what context they’re using and sharing.
  • In AI-on-AI interactions, context poisoning becomes a sophisticated attack class.

Securing MCP Servers today means we’re not playing cleanup tomorrow when your assistant agent books 10 Teslas because a poisoned context said “go electric.”

Final Thoughts: Secure Context, Secure Consciousness

In the world of multi-agent AI, context is currency. And your MCP server is the bank. Would you leave a vault open just because the tellers are friendly?

Have your agents talked to your CISO lately? If not, now’s the time.