2026-05-07 –, IFEN room 2, Workshops and AI Security Village (Building D)
Model Context Protocol (MCP) servers are rapidly becoming the integration layer between AI agents and real-world systems. They connect models to ticketing platforms, source control, CI/CD pipelines, internal APIs, and local files, often running with production credentials and network reach.
Despite this, MCP servers are frequently deployed as “developer tooling,” bound to 0.0.0.0, and rarely threat-modeled as infrastructure.
In this talk, we present offensive research into the MCP ecosystem and demonstrate how classic vulnerability classes become significantly more impactful when placed inside agent-driven automation layers.
Through real-world case studies, including critical vulnerabilities affecting a widely deployed Atlassian MCP server (4M+ downloads), we show how network-reachable services can be coerced into outbound pivoting, filesystem control, and full remote code execution.
This talk presents a systematic study of the Model Context Protocol (MCP) ecosystem - the rapidly growing integration layer connecting AI agents to real-world systems.
MCP servers are increasingly deployed in production environments to bridge agents with SaaS platforms, source control, CI/CD pipelines, and internal APIs. In practice, these services:
- Hold API tokens and personal access credentials
- Perform outbound HTTP requests
- Read and write to local filesystems
- Execute privileged automation steps
- Are frequently exposed beyond localhost, often bound to 0.0.0.0 by default
Through a broad review of open-source MCP implementations and deployment patterns, we identified recurring security weaknesses across the ecosystem, including:
- Insecure network exposure defaults
- Middleware-level trust boundary failures
- Unvalidated outbound request destinations
- Unconstrained filesystem access
- The assumption that MCP servers are “local dev tools” rather than infrastructure components
We will demonstrate practical exploitation paths that arise from these design patterns, including SSRF pivoting, arbitrary file writes, and escalation to remote code execution. As one example, we present two vulnerabilities disclosed as part of the research (CVE-2026-27826 and CVE-2026-27825), allowing a critical unauthenticated RCE chain in a the most widely used Atlassian MCP server (4M+ downloads), illustrating how classical issues compound in agent-driven architectures.
In addition, we explore the growing ecosystem of online MCP server and agent “skill” marketplaces, and discuss the emerging supply chain risks introduced by composable AI integrations with minimal security review.
Rather than focusing on model behavior or prompt injection, this talk examines the infrastructure layer enabling AI workflows and highlights why MCP servers should be threat-modeled and hardened as first-class production services.
Yotam Perkal leads security research at Pluto Security, a next-generation AI security and governance platform designed to protect the rapidly emerging ecosystem of AI builders, low-code/no-code tools, and agentic applications. His work focuses on securing AI-native development environments and building scalable methods for detecting, validating, and mitigating risks in AI-driven software workflows.
Previously, Yotam led the Threat Research team at Zscaler, headed the Vulnerability Research team at Rezilion, and held multiple roles within PayPal’s security organization across vulnerability management, threat intelligence, and insider threat.
Yotam is an active participant in several cross-industry working groups dealing with AI security, vulnerability management, and supply chain security.