"What Happens Locally, Leaks Globally": Detecting Privacy Leakage Risks in MCP Servers

📅 2026-06-19
📈 Citations: 0
Influential: 0
📄 PDF
🤖 AI Summary
This work addresses a critical privacy vulnerability in the Model Context Protocol (MCP), where design flaws can lead to unintended leakage of sensitive information—such as credentials, API keys, and personally identifiable information (PII)—without explicit outbound requests. To tackle this issue, we propose MCPPrivacyDetector, the first context-sensitive, cross-language static analysis framework specifically designed to detect implicit privacy leaks in MCP implementations. Our approach unifies multi-language program representations, employs semantic filtering to identify sensitive data, models MCP-specific implicit taint sinks, and performs context-sensitive taint analysis. Evaluation on 10,655 real-world MCP servers reveals that over 10% are susceptible to privacy leaks, with confirmed cases involving exposed Bearer tokens, API keys, and plaintext credentials.
📝 Abstract
The Model Context Protocol (MCP) has rapidly become the de facto standard for connecting large language models (LLMs) to external resources, but it also introduces a class of privacy risks that existing tools are ill-equipped to detect. Unlike conventional exfiltration bugs, leakage in MCP servers is largely protocol-induced: credentials, API keys, and Personally Identifiable Information (PII) cross the local/LLM boundary simply by being returned, logged, or raised inside a tool handler, with no explicit outbound request in the source code. We present MCPPrivacyDetector, a context-aware cross-language static analysis framework that detects such leakage in multilingual MCP servers. MCPPrivacyDetector lifts heterogeneous code implemented across different programming language (e.g., Python) into a unified program representation, applies context-aware semantic filtering to isolate genuinely sensitive values and protocol-specific implicit sinks (e.g., @mcp.tool handlers), and performs taint analysis to enumerate feasible flows. Applied to 10,655 real-world MCP servers, MCPPrivacyDetector finds leakage rates above 10%. Case studies confirm concrete exposures including leaked Bearer tokens, propagated API keys, and plaintext authentication credentials, arguing for systematic, protocol-aware safeguards in the emerging LLM agent toolchain.
Problem

Research questions and friction points this paper is trying to address.

privacy leakage
Model Context Protocol
LLM agents
PII
credential exposure
Innovation

Methods, ideas, or system contributions that make the work stand out.

MCPPrivacyDetector
Model Context Protocol
privacy leakage
static analysis
taint analysis
🔎 Similar Papers
No similar papers found.