This study addresses a critical security gap in current Model-Controller-Provider (MCP) architectures: the absence of caller identity authentication, which allows multiple untrusted clients to reuse a single authorization token and abuse tool interfaces. For the first time, this work systematically identifies and quantifies the “caller identity confusion” risk through large-scale empirical analysis, authorization state tracking, and tool-level access control evaluation. The findings reveal that most MCP servers implicitly treat themselves as trusted entities and neglect fine-grained verification of individual callers. To mitigate this vulnerability, the paper advocates for explicit caller authentication and fine-grained authorization mechanisms, providing essential guidance for secure MCP design and substantially reducing the attack surface introduced by persistent authorization tokens.

The Model Context Protocol (MCP) is an open and standardized interface that enables large language models (LLMs) to interact with external tools and services, and is increasingly adopted by AI agents. However, the security of MCP-based systems remains largely unexplored.In this work, we conduct a large-scale security analysis of MCP servers integrated within MCP clients. We show that treating MCP servers as trusted entities without authenticating the caller identity is fundamentally insecure. Since MCP servers often cannot distinguish who is invoking a request, a single authorization decision may implicitly grant access to multiple, potentially untrusted callers.Our empirical study reveals that most MCP servers rely on persistent authorization states, allowing tool invocations after an initial authorization without re-authentication, regardless of the caller. In addition, many MCP servers fail to enforce authentication at the per-tool level, enabling unauthorized access to sensitive operations.These findings demonstrate that one-time authorization and server-level trust significantly expand the attack surface of MCP-based systems, highlighting the need for explicit caller authentication and fine-grained authorization mechanisms.