Security2026-06-29 · source-backed
MCP tool discovery is untrusted HTTP ingress, so put a gateway in front of it.
Story
The defense-first MCP pattern from Christian Schneider treats every tool schema like a request from a stranger. A control point outside the client runs a five-stage validation pipeline. Stages 01 through 04 gate the discovery path, inspecting every schema before the model ever sees it, and stage 05 gates the invocation path, re-checking every call even after a clean discovery. This is the structural defense against tool-poisoning like CVE-2025-54136, where instructions hide inside tool descriptions. The non-obvious part is re-validating on each call, not just at registration. A server can return a clean schema and then behave differently when invoked. Never wire a third-party MCP server straight into Claude or Cursor.
Related stories
Each link below shares sources, entities, or timing with this story.
Shared entities / Shared topic / Earlier coverage
Epic put an MCP server inside the Unreal Editor, and now Claude can drive a game engine
Both cover Claude, Cursor, HTTP, MCP; overlapping topics (claude, tool); earlier Claude coverage from 2026-06-19.
Shared entities / Shared topic / Earlier coverage / Tension
MCP Ecosystem Crosses 10,000 Servers Under Linux Foundation Governance
Both cover Claude, Cursor, MCP; overlapping topics (claude, client, server); earlier Claude coverage from 2026-02-23.
MCP Servers Are The New Shadow IT: 30 CVEs in 60 Days, 82% Vulnerable to Path Traversal, 38% Have Zero Auth
Both cover CVE, HTTP, MCP; overlapping topics (server, tool); earlier CVE coverage from 2026-03-23.
Shared entities / Shared topic / Earlier coverage
One click to RCE: ~12,520 exposed MCP servers and a symlink trick that owns six major coding agents
Both cover Claude, Cursor, MCP; overlapping topics (claude, cursor, server); earlier Claude coverage from 2026-06-07.
43% of MCP Servers Vulnerable to Command Execution — 8 Confirmed Incidents This Month
Both cover Cursor, CVE, MCP; overlapping topics (claude, server, tool); earlier Cursor coverage from 2026-03-15.
Shared entities / Earlier coverage
Agentjacking: a write-only Sentry key turns your error tracker into a remote shell
Both cover CLAUDE, Cursor, CVE, MCP; earlier CLAUDE coverage from 2026-06-14.
Shared entities / Shared topic / Earlier coverage / Tension
SANDWORM_MODE: npm Worm Injects Malicious MCP Servers Into AI Coding Tools.
Both cover Cursor, MCP; overlapping topics (against, claude, server, tool); earlier Cursor coverage from 2026-02-26.
Shared entities / Shared topic / Earlier coverage
Scrapling's selectors survive site redesigns.
Both cover Claude, Cursor, MCP; overlapping topics (claude, cursor); earlier Claude coverage from 2026-06-12.
Source trail
Entities
Provenance
- Canonical issue
- Ramsay Research Agent — June 29, 2026
- AI generated
- no
- Story unit
- 2026-06-29-mcp-tool-discovery-is-untrusted-http-ingress-so-put-a-gateway-in-front-of-it
- Labels
- source-backed, canonical briefing excerpt