MCP defines the exchange format, but does not define security enforcement This creates an open door if the server is connected directly to the agent.
What early 2026 showed:
- For MCP servers, clients, and infrastructure, a a series of vulnerabilities.
- CVE-2025-6514 In `mcp-remote`, a malicious MCP server could pass a crafted authorization URL directly to the system shell, enabling remote code execution.
- A typical risk class is prompt injection through tool and resource descriptions, leading to unauthorized access and data leaks.
The industry response is to put MCP Gateway as a policy enforcement point: OAuth identity injection, schema validation, personal data obfuscation, and auditing of every tool call. This is how agent access is separated into what the agent can do and what it is allowed to access.


