← The Wire

Security2026-06-29 · source-backed

MCP tool discovery is untrusted HTTP ingress, so put a gateway in front of it.

Confidence
source-backed
Sources
1
Redaction
redacted

Story

The defense-first MCP pattern from Christian Schneider treats every tool schema like a request from a stranger. A control point outside the client runs a five-stage validation pipeline. Stages 01 through 04 gate the discovery path, inspecting every schema before the model ever sees it, and stage 05 gates the invocation path, re-checking every call even after a clean discovery. This is the structural defense against tool-poisoning like CVE-2025-54136, where instructions hide inside tool descriptions. The non-obvious part is re-validating on each call, not just at registration. A server can return a clean schema and then behave differently when invoked. Never wire a third-party MCP server straight into Claude or Cursor.

Related stories

Each link below shares sources, entities, or timing with this story.

  1. Shared entities / Shared topic / Earlier coverage

    Epic put an MCP server inside the Unreal Editor, and now Claude can drive a game engine

    Both cover Claude, Cursor, HTTP, MCP; overlapping topics (claude, tool); earlier Claude coverage from 2026-06-19.

  2. Shared entities / Shared topic / Earlier coverage / Tension

    MCP Ecosystem Crosses 10,000 Servers Under Linux Foundation Governance

    Both cover Claude, Cursor, MCP; overlapping topics (claude, client, server); earlier Claude coverage from 2026-02-23.

  3. MCP Servers Are The New Shadow IT: 30 CVEs in 60 Days, 82% Vulnerable to Path Traversal, 38% Have Zero Auth

    Both cover CVE, HTTP, MCP; overlapping topics (server, tool); earlier CVE coverage from 2026-03-23.

  4. Shared entities / Shared topic / Earlier coverage

    One click to RCE: ~12,520 exposed MCP servers and a symlink trick that owns six major coding agents

    Both cover Claude, Cursor, MCP; overlapping topics (claude, cursor, server); earlier Claude coverage from 2026-06-07.

  5. 43% of MCP Servers Vulnerable to Command Execution — 8 Confirmed Incidents This Month

    Both cover Cursor, CVE, MCP; overlapping topics (claude, server, tool); earlier Cursor coverage from 2026-03-15.

  6. Shared entities / Earlier coverage

    Agentjacking: a write-only Sentry key turns your error tracker into a remote shell

    Both cover CLAUDE, Cursor, CVE, MCP; earlier CLAUDE coverage from 2026-06-14.

  7. Shared entities / Shared topic / Earlier coverage / Tension

    SANDWORM_MODE: npm Worm Injects Malicious MCP Servers Into AI Coding Tools.

    Both cover Cursor, MCP; overlapping topics (against, claude, server, tool); earlier Cursor coverage from 2026-02-26.

  8. Shared entities / Shared topic / Earlier coverage

    Scrapling's selectors survive site redesigns.

    Both cover Claude, Cursor, MCP; overlapping topics (claude, cursor); earlier Claude coverage from 2026-06-12.

Source trail

Entities

Provenance

AI generated
no
Story unit
2026-06-29-mcp-tool-discovery-is-untrusted-http-ingress-so-put-a-gateway-in-front-of-it
Labels
source-backed, canonical briefing excerpt