OWASP MCP Top 10

As AI systems become increasingly integrated into software supply chains, enterprise applications, and security infrastructure, the need for structured, secure, and interpretable model interaction layers is paramount. The Model Context Protocol (MCP) is emerging as a framework to define the operational, contextual, and behavioral boundaries of AI models. However, with the power and flexibility of MCPs comes a new class of vulnerabilities and attack surfaces that remain underexplored.

This OWASP Top 10 for MCP outlines the most critical security concerns arising in the lifecycle of MCP-enabled systems—spanning from model misbinding, context spoofing, and prompt-state manipulation to insecure memory references and covert channel abuse. These risks are amplified in scenarios involving agentic AI, model chaining, multi-modal orchestration, and dynamic role assignment.

By mapping the top 10 MCP-related vulnerabilities and offering concrete recommendations for secure design, implementation, and auditing practices, this project aims to equip AI developers, ML engineers, and security practitioners with the insights necessary to build context-aware and attack-resilient AI systems. The OWASP MCP Top 10 will serve as a living document, evolving alongside the pace of AI model capability and protocol innovation—anchored in real-world threats, research findings, and industry feedback.

Road Map

Road Map Phase 1 – Drafting Create an initial draft of requirements that cover the industry aspects.

Phase 2 – Community Review and Feedback Publish the draft in a public repository for the community to review. Inputs from the community

Phase 3 – Beta Release and Pilot Testing Release a “beta” version of MCP Top 10. Gather feedback on usability and coverage.

Phase 4 – Final Release Incorporate feedback from pilot testing.

Phase 5 – Continuous Improvement Periodically release updated versions