MCPwned: Hacking MCP Servers with One Skeleton Key Vulnerability
Jonathan Leitschuh
BSidesSF 2026 · Day 2 · AMC Theatre 14
Jonathan Leitschuh's talk, "MCPwned: Hacking MCP Servers with One Skeleton Key Vulnerability," delves into a critical and long-standing class of browser-based vulnerabilities that enable public websites to compromise locally running servers. Specifically, Leitschuh focuses on the Model Context Protocol (MCP) servers, which are increasingly prevalent in the era of AI and large language models (LLMs) as a standardized way for AI tools to interact with various enterprise systems like databases, Git repositories, and monitoring services. The talk highlights how a fundamental misunderstanding or oversight by developers regarding browser security models, coupled with insecure defaults in popular SDKs, creates a "skeleton key" vulnerability that attackers can exploit.
AI review
Leitschuh takes a genuinely old vulnerability class — DNS rebinding — and lands it squarely on a target-rich, modern attack surface that most of the AI tooling community has never thought about: MCP servers shipping with protection disabled by default. The demos are real, the CVEs are real, the bounties are real, and the policy implication (Anthropic actually changed their SDK defaults in response) gives this legs beyond the talk itself.