MCP-38: A Comprehensive Threat Taxonomy for Model Context Protocol Systems (v1.0)
This addresses security vulnerabilities in MCP systems, which are not covered by existing threat frameworks, though it is incremental as it builds on prior work.
The paper tackles the lack of adequate threat frameworks for the Model Context Protocol (MCP) by introducing MCP-38, a protocol-specific threat taxonomy with 38 categories derived through a systematic methodology, mapping them to existing frameworks like STRIDE and OWASP.
The Model Context Protocol (MCP) introduces a structurally distinct attack surface that existing threat frameworks, designed for traditional software systems or generic LLM deployments, do not adequately cover. This paper presents MCP-38, a protocol-specific threat taxonomy consisting of 38 threat categories (MCP-01 through MCP-38). The taxonomy was derived through a systematic four-phase methodology: protocol decomposition, multi-framework cross-mapping, real-world incident synthesis, and remediation-surface categorization. Each category is mapped to STRIDE, OWASP Top 10 for LLM Applications (2025, LLM01--LLM10), and the OWASP Top 10 for Agentic Applications (2026, ASI01--ASI10). MCP-38 addresses critical threats arising from MCP's semantic attack surface (tool description poisoning, indirect prompt injection, parasitic tool chaining, and dynamic trust violations), none of which are adequately captured by prior work. MCP-38 provides the definitional and empirical foundation for automated threat intelligence platforms.