When Your AI Coding Assistant Opens the Wrong Doors

“Hey Claude, can you check which S3 buckets haven’t been used in the last 90 days?”

A simple, innocent request. The kind of query that developers make dozens of times a day with their AI coding assistants. But what if, instead of just listing those buckets, your AI assistant also deleted them—without asking?

Welcome to the new frontier of software development, where AI assistants have evolved from helpful autocomplete tools into powerful agents capable of executing real actions across your entire infrastructure. And with that power comes a terrifying new class of security vulnerabilities.

The AI-Assisted Coding Revolution

The transformation has been remarkably swift. In late 2024, AI coding assistants like GitHub Copilot, Cursor, and Stack Overflow’s tools were primarily used for code suggestions and documentation lookups. By mid-2025, these tools had evolved into full-fledged agents capable of:

• Reading and writing to databases directly from your IDE
• Managing cloud infrastructure via AWS, Azure, and GCP APIs
• Accessing internal tools like Jira, Slack, and your company wiki
• Executing terminal commands with the same privileges as your user account
• Committing code changes and creating pull requests autonomously

According to a 2025 GitHub survey, over 65% of professional developers now use AI assistants daily, and that number is climbing fast. The productivity gains are undeniable—developers report shipping features 30-50% faster with AI assistance.

But here’s the uncomfortable truth: most organizations have rushed to adopt these tools without fully understanding the security implications.

The Protocol Powering This Revolution (and Its Risks)

Behind the scenes, almost all of these AI assistants now use the Model Context Protocol (MCP)—an open standard developed by Anthropic that allows AI models to connect to external tools and data sources in a standardized way.

Think of MCP as the universal adapter that lets your AI assistant plug into Slack, GitHub, your production database, and everything else in your organization. It’s incredibly powerful. It’s also incredibly dangerous if not properly secured.

The Wild West of Unmanaged AI Connections

Here’s the problem: in most organizations today, MCP connections look like the early days of the Internet—every developer is running their own collection of MCP servers, each with different security postures, often with broad permissions and little to no centralized oversight.

Traditional MCP architecture: each developer manages individual server connections, creating multiple attack vectors and scattered credentials.

It’s what security researchers are calling “Shadow AI”—and it’s the perfect storm for attackers.

The Security Nightmare: Real Threats, Real Consequences

Let’s be clear: these aren’t theoretical risks. Security researchers have already documented numerous attacks exploiting MCP vulnerabilities. Here are the most critical threats organizations face today:

1. Prompt Injection: Weaponizing Natural Language

Imagine an attacker embedding hidden instructions in a GitHub issue comment, a Slack message, or even a support ticket. When your AI assistant reads that content as context, it could be tricked into executing malicious commands.

In one documented case analyzed by Datadog, an AI agent processing a support ticket was fed SQL commands disguised as innocent ticket data. The agent—acting as a “confused deputy”—couldn’t distinguish between legitimate data and malicious SQL, and dutifully executed the commands, compromising the entire database.

Real-world impact: Data exfiltration, unauthorized access, system compromise

2. Tool Poisoning: When Your Tools Turn Against You

Here’s a terrifying scenario: you install a seemingly legitimate MCP server to help your AI assistant manage cloud resources. It works perfectly for weeks. Then, in a routine update, the tool’s behavior changes.

Prompt Security’s Top 10 MCP Risks report describes how attackers can execute “rug pull attacks”—where tools initially appear legitimate but suddenly become malicious after gaining trust and widespread adoption.

That innocent “list S3 buckets” tool? After an update, it might now:

• List the buckets (as expected)
• Also delete them (based on poisoned tool metadata)
• Exfiltrate your conversation history to an attacker-controlled server
• All without your knowledge or consent

Real-world impact: Data loss, service disruption, intellectual property theft

3. Credential Theft: The Keys to Your Kingdom

According to Red Hat’s security analysis, most MCP servers store credentials in plaintext configuration files. These might include:

• API tokens for AWS, GitHub, and other cloud services
• Database connection strings with embedded passwords
• OAuth tokens that survive password changes
• SSH keys and other authentication secrets

Attackers who compromise a single MCP server configuration file can gain access to your entire connected ecosystem. Datadog’s research found that improperly stored configuration files are among the primary causes of MCP-related breaches.

Real-world impact: Account takeover, lateral movement across systems, persistent access

4. Supply Chain Attacks: Trusting the Wrong Code

In mid-2025, security researchers discovered CVE-2025-6514—a critical vulnerability in a popular npm package used for MCP authentication. Thousands of servers were exposed before the issue was patched.

Docker’s MCP Security Guide emphasizes the risks of:

• Typosquatting: Malicious packages with names similar to legitimate MCP servers
• Unsigned builds: No way to verify the authenticity of downloaded tools
• Hidden side effects: Code that appears benign but contains malicious logic

In another incident dubbed “NeighborJack,” researchers found hundreds of MCP servers inadvertently exposed to the public Internet because they were misconfigured to bind to 0.0.0.0 without proper firewall rules, allowing for potential OS command injection and host takeover.

Real-world impact: Large-scale compromises, widespread data breaches

5. The “Confused Deputy” Problem

One of the most insidious vulnerabilities is when your AI assistant has higher privileges than you do—and attackers know it.

The official MCP security best practices describe the “confused deputy problem”: an MCP server executing actions on behalf of users but with its own elevated permissions, potentially violating the principle of least privilege.

For example, an attacker might trick an AI assistant into:

• Creating database users with admin privileges
• Modifying access control lists
• Executing system commands beyond the user’s normal permissions

Real-world impact: Privilege escalation, unauthorized administrative access

6. Data Leakage Between Tenants

Even major platforms aren’t immune. In June 2025, a popular team collaboration tool’s MCP integration suffered a privacy breach where customer information became visible in other customers’ MCP instances due to a bug. The integration had to be taken offline for two weeks.

Real-world impact: Privacy violations, regulatory compliance issues, loss of customer trust

The Complete List: Top 10 MCP Security Risks

Based on comprehensive research from Prompt Security, Docker, Red Hat, and Datadog, here are the critical security risks every organization must address:

1. Prompt Injection - Malicious inputs manipulating AI behavior
2. Tool Poisoning - Compromised tool metadata leading to harmful actions
3. Privilege Abuse - Excessive permissions creating attack opportunities
4. Tool Shadowing & Shadow MCP - Rogue servers mimicking trusted services
5. Indirect Prompt Injection - Hidden instructions in external data sources
6. Sensitive Data Exposure & Token Theft - Plaintext credentials and tokens
7. Command/SQL Injection - Unvalidated inputs enabling code execution
8. Rug Pull Attacks - Legitimate tools turning malicious after adoption
9. Denial of Wallet/Service - Resource exhaustion and API abuse
10. Authentication Bypass - Weak authentication enabling unauthorized access

The Solution: Cloudflare MCP Server Portals

The good news? The industry is responding. Cloudflare has introduced MCP Server Portals—a centralized solution that addresses most of these critical vulnerabilities.

What Are MCP Server Portals?

Think of an MCP Server Portal as a “single front door” for all your AI assistant connections. Instead of developers individually managing dozens of scattered MCP server endpoints, organizations can:

1. Register all approved MCP servers with Cloudflare
2. Configure a single, centralized portal endpoint
3. Provide users with just one URL to configure in their AI assistants
4. Apply enterprise-grade security controls to every connection

Cloudflare MCP Portals architecture: a single, secured gateway providing centralized control, authentication, and audit logging for all MCP connections.

According to Cloudflare’s announcement blog post, this immediately transforms your security posture in four critical ways:

1. Centralized Policy Enforcement

MCP Portals integrate directly with Cloudflare One, Cloudflare’s Zero Trust SASE platform. This means you can enforce the same security policies for AI connections that you already use for human users:

• ✅ Multi-factor authentication (MFA) required
• ✅ Device posture checks (only company-managed devices)
• ✅ Geographic restrictions (block connections from high-risk countries)
• ✅ Role-based access control (only authorized users can access specific tools)

As Cloudflare describes it: organizations can now “require multi-factor authentication, check for device posture, restrict by geography, and ensure only the right users can access specific servers and tools.”

2. Comprehensive Visibility and Logging

Before portals, understanding what your AI assistants were doing was nearly impossible. Data was scattered across dozens of individual MCP servers, each with their own (often minimal) logging.

Now, every MCP request flows through the portal and is logged centrally. Security teams can finally answer critical questions like:

• Who is accessing which MCP servers?
• What tools and actions are being used?
• When did suspicious activity occur?
• Why did an AI assistant perform a particular action?

This visibility is crucial for:

• Security audits and compliance reporting
• Anomaly detection and threat hunting
• Incident response and forensic analysis
• Understanding usage patterns and optimizing policies

3. Curated, Least-Privilege Access

One of the most powerful security principles is least privilege—users should only have access to the minimum resources necessary for their work.

MCP Portals make this practical by allowing administrators to:

✅ Review and approve MCP servers before making them available
✅ Curate specific tools available through each portal
✅ Create role-based portals (engineering gets one set of tools, operations gets another)
✅ Prevent the use of unvetted or malicious third-party servers

As Cloudflare explains: “When a user authenticates through their Portal, they are only presented with the curated list of servers and tools they are authorized to use, preventing the use of unvetted or malicious third-party servers.”

4. Simplified User Experience

Security often trades off with usability, but MCP Portals actually improve both. Instead of developers needing to:

• ❌ Find and configure dozens of individual MCP server URLs
• ❌ Manage authentication for each server separately
• ❌ Update configurations when servers change
• ❌ Troubleshoot connection issues across multiple endpoints

They now simply:

• ✅ Configure a single portal URL in their AI assistant
• ✅ Authenticate once through their corporate identity provider
• ✅ Automatically get access to all approved tools
• ✅ See new servers appear dynamically as they’re approved

How to Set Up MCP Server Portals

Getting started with Cloudflare MCP Portals is straightforward. Here’s the complete setup process based on the official documentation:

Prerequisites

Before you begin, ensure you have:

• ✅ An active domain on Cloudflare
• ✅ Domain configured with full or CNAME setup
• ✅ Identity provider configured on Cloudflare Zero Trust (Okta, Google Workspace, Azure AD, etc.)

Step 1: Add Your MCP Servers

Navigate to the Cloudflare Zero Trust dashboard and register each MCP server:

1. Go to Access > AI Controls > MCP Servers
2. Click "Add MCP Server"
3. Provide the server details:
   - Name: A friendly name (e.g., "Slack Integration")
   - Server URL: The actual MCP server endpoint
   - Authentication: Choose OAuth, API key, or unauthenticated
4. Test the connection
5. Save the server

Step 2: Create a Portal

Now create a portal that groups your approved servers:

1. Go to Access > AI Controls > MCP Portals
2. Click "Create Portal"
3. Configure the portal:
   - Portal Name: e.g., "Engineering AI Tools"
   - Subdomain: e.g., "ai-portal.yourcompany.com"
   - Select which MCP servers to include
   - Choose which tools to expose from each server
4. Save the portal configuration

Step 3: Configure Access Policies

Define who can use the portal using Cloudflare Access policies:

1. Create a new Access policy for your portal
2. Define allow rules:
   - Email domain: @yourcompany.com
   - Groups: Engineering team
   - Require: MFA enabled
   - Device posture: Managed devices only
3. Optional: Add deny rules for specific users or regions
4. Save the policy

Step 4: Connect AI Assistants

Users can now connect their AI assistants with a single configuration:

// Example configuration for Claude Desktop
{
  "mcpServers": {
    "company-portal": {
      "command": "npx",
      "args": [
        "-y",
        "mcp-remote@latest",
        "https://ai-portal.yourcompany.com/mcp"
      ]
    }
  }
}

That’s it! When users launch their AI assistant, they’ll authenticate through your identity provider, and automatically gain access to all approved tools.

Beyond Portals: Essential Security Practices

While MCP Portals provide a strong foundation, they’re not a complete solution on their own. Organizations should implement these additional security controls recommended by Docker, Red Hat, and the official MCP security guidelines:

1. Sandbox Local MCP Servers

Run MCP servers in isolated environments with restricted permissions:

# Example: Run MCP server in Docker with limited permissions
docker run --rm \
  --network none \
  --read-only \
  --security-opt="no-new-privileges:true" \
  --user 1000:1000 \
  your-mcp-server:latest

Why: Limits the blast radius if a server is compromised

2. Implement Strict Input Validation

Never pass user input directly to system commands or database queries. Red Hat’s guidance includes this example of a vulnerable MCP server:

# VULNERABLE - Don't do this!
def dispatch_alert(notification_info):
    title = f"{notification_info['title']} - {notification_info['severity']}"
    subprocess.call(["notify-send", title])  # Command injection risk!

Better approach: Use parameterized queries and safe API wrappers

3. Use Short-Lived, Scoped Tokens

Avoid long-lived credentials. Implement token rotation:

// Good: OAuth flow with 1-hour tokens
const token = await getOAuthToken({
  scope: ["read:s3", "write:cloudwatch"],
  expiresIn: 3600,
});

// Bad: Hard-coded, permanent API key
const API_KEY = "sk-proj-abc123..."; // ❌ Never do this

4. Require User Confirmation for Sensitive Actions

Following Prompt Security’s recommendations, always require explicit user approval for:

• Writing to databases
• Deleting resources
• Modifying access controls
• Executing system commands
• Making external API calls that incur costs

5. Maintain an Allowlist of Approved Tools

As Docker emphasizes, maintain a curated catalog of verified MCP servers:

# approved-mcp-servers.yaml
approved_servers:
  - name: "slack-integration"
    url: "https://mcp.slack.com/v1"
    signature: "sha256:abc123..."
    version: "1.2.3"

  - name: "github-integration"
    url: "https://mcp.github.com/v1"
    signature: "sha256:def456..."
    version: "2.1.0"

Block any unapproved servers from connecting.

6. Monitor and Alert on Anomalies

Set up alerts for suspicious behavior:

• Unusual tool invocation patterns
• High volume of API calls
• Access from unexpected locations
• Failed authentication attempts
• Tools being used outside normal hours

7. Pin Server Versions and Verify Signatures

Prevent “rug pull” attacks by:

✅ Pinning specific versions of MCP servers (not “latest”)
✅ Requiring cryptographic signatures on all server code
✅ Notifying security teams when servers attempt to update
✅ Reviewing changelogs before approving updates

8. Implement Rate Limiting

Protect against denial-of-wallet and resource exhaustion:

// Example rate limit configuration
{
  "rate_limits": {
    "per_user": {
      "requests_per_minute": 60,
      "api_calls_per_hour": 1000
    },
    "per_tool": {
      "database_queries_per_hour": 100,
      "cost_limit_per_day": "$50"
    }
  }
}

The Path Forward: Building Secure AI-Assisted Development

The rise of AI-assisted coding represents one of the most significant shifts in software development since the invention of high-level programming languages. We’re moving from AI as a suggestion engine to AI as an active teammate that can read, write, and execute across our entire technology stack.

This transformation brings enormous productivity gains—but also introduces a new attack surface that we’re only beginning to understand.

The choice facing organizations isn’t whether to adopt AI assistants (that ship has sailed—developers are using them with or without official approval). The choice is whether to adopt them securely or to let “Shadow AI” proliferate unchecked across your infrastructure.

Tools like Cloudflare MCP Server Portals provide a critical foundation:

✅ Centralized control and visibility
✅ Enterprise-grade authentication and authorization
✅ Comprehensive audit logging
✅ Granular tool access control
✅ Zero Trust security integration

But technology alone isn’t enough. Organizations also need:

📋 Clear policies on approved AI assistants and MCP servers
🎓 Developer training on AI security risks
🔍 Regular security audits of MCP configurations
📊 Monitoring and alerting on unusual AI assistant behavior
🚨 Incident response plans for AI-related security events

Conclusion: Security as a Prerequisite, Not an Afterthought

The next time you ask your AI assistant to “check which S3 buckets haven’t been used in 90 days,” take a moment to consider: How do you know it won’t also delete them?

The MCP ecosystem is powerful—perhaps the most powerful integration layer for AI we’ve ever built. But as researchers at Prompt Security, Docker, Red Hat, Datadog, and Cloudflare have all documented, that power comes with serious risks:

• Prompt injection enabling data exfiltration
• Tool poisoning causing unintended actions
• Credential theft compromising entire systems
• Supply chain attacks through malicious servers
• Privilege escalation via confused deputy problems

Organizations that rushed to adopt AI assistants without proper security controls are discovering these risks the hard way. But it doesn’t have to be this way.

By implementing MCP Server Portals, following security best practices, and treating AI security as a first-class concern, we can harness the productivity benefits of AI-assisted coding without exposing our systems to catastrophic breaches.

The future of software development is human-AI collaboration. Let’s make sure it’s also secure.

Have questions or experiences with MCP security? Share your thoughts on Twitter/X. Let’s build a more secure AI-assisted future together.