July 14, 2026
MCP Servers Are the New Open Port 22. Nobody’s Auditing Them.
The MCP Bug Bounty Field Guide · Part 1 of 5 — what the protocol is, and why it just created the most under-hunted surface of 2026.

By Abhishek meena
4 min read
30-second version A new protocol lets AI models call external code on demand. Teams shipped it faster than they secured it. Bug bounty programs have it in scope but haven't mapped it. The hunters who move first will own this surface the way the first SSRF hunters owned cloud metadata.
Every few years, a new attack surface appears.
The people who move first eat the bounty table. Everyone else arrives when the queue is full.
SSRF had that moment. GraphQL had it. IDOR still has it.
The Model Context Protocol is having it right now. And almost nobody is hunting it.
This is Part 1 of a five-part field guide for bug bounty hunters. By the end of the series you'll find MCP surfaces in scope, exploit the three bug classes that live in them, and write reports that score Critical instead of Informative.
First, the map. Where the surface is, why it's open, and why the window closes fast.
A real hunt, to set the stakes
Early 2026. A researcher pulls a popular open-source MCP server off a "best servers" list — the kind indie hackers drop into their AI apps in one click.
It exposes a tool that runs shell commands on the host.
No sandbox. No allow-list. The tool description reads innocuous: "fixes a file." So the model calls it every time a user says "fix the file."
One crafted user message chains the whole thing:
- Ask the model to read a remote doc.
- The doc contains instructions.
- The instructions tell the model to use the shell tool to curl an attacker server — with the contents of
~/.sshin the query string.
RCE-adjacent exfiltration. Three hops. Zero traditional "vulnerabilities." No CVE. The fix was a config default.
The three hops, and the one a defender should break.
That's the shape of an MCP bug. It doesn't look like a bug. It looks like the system working as designed — because the design is the problem.
Reconstructed and sanitized; verify against the public writeup before citing it in your own reports.
What MCP is, in two lines
A standard way for an LLM to call external code. That's it, stripped of marketing.
An AI app wants its model to read files, query a database, run a shell command. MCP is the wire format that lets the model list those tools, call them, and read the results. Anthropic open-sourced it in late 2024. By 2026, every major AI app is bolting it on.
The mental model that matters for hunters:
An MCP server is a bundle of tools an LLM is allowed to run.
A tool is a function with a name, a description, and the power to do something real. The model reads the description, decides to call the tool, and gets the result back as text it treats as context.
Two things should jump out already:
- The model reads tool descriptions as instructions. Text an attacker controls is prompt injection. (Part 2.)
- Tools do real things — run shell, write files, fetch URLs — and the model treats tool output as trusted input. Untrusted input into a privileged actor is the textbook injection pattern. (Part 3.)
Reframe, hold it for the rest of the series: MCP turns "what the LLM is allowed to do" into "what arbitrary external code is allowed to do."
Why it's a new attack surface
Three things changed in the last 18 months.
Adoption outran security. Teams shipped MCP because users wanted it, not because anyone audited it. A server exposing run_shell gets wired to a model happy to call it. Default configs lean permissive, because permissive demos well.
The threat model is new to most programs. Bounty policies were written for web apps — XSS, IDOR, SSRF, auth bypass. They were not written for "an attacker-controlled tool description convinces the model to exfiltrate secrets on the next message." That bug fits no existing bounty-table row. So triagers downgrade it — and the hunters who learn to argue its impact get paid while everyone else argues in Mediation.
The surface is growing faster than it's being mapped. Most recon playbooks don't look for MCP at all. No subfinder for MCP servers. No default Nuclei tag for a poisoned tool description. The people who build those playbooks first will own this surface.
This is the part that repeats every cycle. The surface appears. A few people map it. Then it floods. You want to be in the first group.
Where MCP hides in scope
You won't find "MCP" in a program's assets list. You find it indirectly.
- AI features in scope. Any program with an AI chat, agent, copilot, or "connect your tools" flow is an MCP candidate. The server sits one hop behind the feature.
- Self-hosted MCP servers. If a target exposes an SSE or HTTP endpoint returning JSON-RPC with
tools/list, that's an MCP server. In scope like any other host. - Connectors and marketplaces. Apps that let users install third-party MCP servers expose a supply-chain surface. A malicious connector is an MCP bug — often in scope under "integrations" or "third-party content."
The first recon move is simple: wherever a target says "AI" or "agents" or "connect your tools," ask what's running behind it. Most of the time the answer is MCP. Most of the time nobody has tested it.
Three places MCP is already in scope, and why most hunters walk past all of them.
Why the window is open right now
Bug bounty rewards the people who show up early to a surface the program hasn't mapped.
MCP is at that stage. The bugs aren't exotic. They're injection, access control, and confused-deputy problems wearing a new protocol as a costume. The craft you already have transfers directly.
What's missing is the map — which programs expose it, where it hides, and how to argue impact so it doesn't get downgraded.
That's the rest of the series:
- Part 2 — tool poisoning: how a malicious tool description hijacks a model, and how to write it up as a real bug.
- Part 3 — prompt injection through MCP, framed as SSRF for text.
- Part 4 — the RCE chain, hop by hop.
- Part 5 — the recon and report-craft playbook that turns this into a repeatable bounty pipeline.
The surface is here. The queue is empty.
The people who map it first are about to have a very good quarter.
Sources
- Model Context Protocol — open-sourced by Anthropic, late 2024. Spec and reference servers at
modelcontextprotocol.io. - Early MCP security research on tool poisoning, prompt injection via tool outputs, and confused-deputy / token-passthrough issues. The surface is moving fast — cite the specific advisory before publishing.