Skills
OWASP MCP Top 10: Shadow MCP Servers Are the New Shadow IT Risk in Agent Pipelines
The OWASP MCP Top 10 (2026) formalizes Shadow MCP Servers — unapproved, unsupervised MCP deployments running outside organizational security governance — as a distinct category with default credentials and permissive configurations as the primary attack surface. Remediation requires a signed-component inventory with provenance tracking for every MCP module, immutable audit trails on all tool invocations, and automated scope-expiry policies to prevent privilege creep. The full top 10 also covers token mismanagement, tool poisoning, and insufficient authentication as the other leading risks.
↳ Follow the thread