We Urgently Need Privilege Management in MCP: A Measurement of API Usage in MCP Ecosystems
This work addresses critical security vulnerabilities in MCP ecosystems, which are widely used for connecting LLMs to external tools, highlighting an urgent need for privilege management to prevent attacks.
The study conducted the first large-scale empirical analysis of security risks in the Model Context Protocol (MCP), revealing that network and system resource APIs dominate usage in 2,562 real-world applications, affecting 1,438 and 1,237 servers respectively, and demonstrating how insufficient privilege separation enables attacks like privilege escalation.
The Model Context Protocol (MCP) has emerged as a widely adopted mechanism for connecting large language models to external tools and resources. While MCP promises seamless extensibility and rich integrations, it also introduces a substantially expanded attack surface: any plugin can inherit broad system privileges with minimal isolation or oversight. In this work, we conduct the first large-scale empirical analysis of MCP security risks. We develop an automated static analysis framework and systematically examine 2,562 real-world MCP applications spanning 23 functional categories. Our measurements reveal that network and system resource APIs dominate usage patterns, affecting 1,438 and 1,237 servers respectively, while file and memory resources are less frequent but still significant. We find that Developer Tools and API Development plugins are the most API-intensive, and that less popular plugins often contain disproportionately high-risk operations. Through concrete case studies, we demonstrate how insufficient privilege separation enables privilege escalation, misinformation propagation, and data tampering. Based on these findings, we propose a detailed taxonomy of MCP resource access, quantify security-relevant API usage, and identify open challenges for building safer MCP ecosystems, including dynamic permission models and automated trust assessment.