Breaking the Control Plane: Exploiting MCP Servers in AI Workflows

Model Context Protocol (MCP) servers are rapidly becoming the integration layer between AI agents and real-world systems. They connect models to ticketing platforms, source control, CI/CD pipelines, internal APIs, and local files, often running with production credentials and network reach.

Despite this, MCP servers are frequently deployed as “developer tooling,” bound to 0.0.0.0, and rarely threat-modeled as infrastructure.

In this talk, we present offensive research into the MCP ecosystem and demonstrate how classic vulnerability classes become significantly more impactful when placed inside agent-driven automation layers.

Through real-world case studies, including critical vulnerabilities affecting a widely deployed Atlassian MCP server (4M+ downloads), we show how network-reachable services can be coerced into outbound pivoting, filesystem control, and full remote code execution.

This talk presents a systematic offensive analysis of open-source MCP servers and their deployment patterns.

MCP servers are increasingly embedded in AI workflows to bridge agents with external systems. In practice, they:

Hold API tokens and personal access tokens
Perform outbound HTTP requests
Read and write to local filesystems
Execute privileged automation steps
Are often bound to 0.0.0.0 by default

The research focuses on: - Control-plane override via header injection: Demonstrating how unvalidated service URL headers allow attackers to redirect outbound requests, bypassing intended configuration boundaries.

Chaining SSRF into filesystem primitives: Turning outbound request control into arbitrary file write capabilities under realistic deployment conditions.
Privilege amplification in agent-driven systems: How automation workflows amplify classical primitives into infrastructure-level compromise.
Middleware and dependency-layer attack surfaces: Why reviewing tool handlers is insufficient when trust boundaries are broken earlier in the request lifecycle.

As a concrete example, we will present two critical CVEs we disclosed in a widely used Atlassian MCP server that enable an unauthenticated SSRF -> arbitrary file write -> RCE chain (CVE-2026-27825, CVE-2026-27826)

Beyond individual bugs, we show recurring structural weaknesses across MCP servers and explain why they are likely to become attractive lateral movement and pivot targets in enterprise AI environments.

About the Speaker

Yotam

Yotam Perkal leads security research at Pluto Security, a next-generation AI security and governance platform designed to protect the rapidly emerging ecosystem of AI builders, low-code/no-code tools, and agentic applications. His work focuses on securing AI-native development environments and building scalable methods for detecting, validating, and mitigating risks in AI-driven software workflows.

Previously, Yotam led the Threat Research team at Zscaler, headed the Vulnerability Research team at Rezilion, and held multiple roles within PayPal’s security organization across vulnerability management, threat intelligence, and insider threat.

Yotam is an active participant in several cross-industry working groups dealing with AI security, vulnerability management, and supply chain security.