MCPSecBench: A Systematic Security Benchmark and Playground for Testing Model Context Protocols

Large Language Models (LLMs) are increasingly integrated into real-world applications via the Model Context Protocol (MCP), a universal, open standard for connecting AI agents with data sources and external tools. While MCP enhances the capabilities of LLM-based agents, it also introduces new security risks and expands their attack surfaces. In this paper, we present the first systematic taxonomy of MCP security, identifying 17 attack types across 4 primary attack surfaces. Our benchmark is modular and extensible, allowing researchers to incorporate custom implementations of clients, servers, and transport protocols for systematic security assessment. Experimental results show that over 85% of the identified attacks successfully compromise at least one platform, with core vulnerabilities universally affecting Claude, OpenAI, and Cursor, while prompt-based and tool-centric attacks exhibit considerable variability across different hosts and models. In addition, current protection mechanisms have little effect against these attacks. Large language models (LLMs) are transforming the landscape of intelligent systems, enabling powerful language understanding, reasoning, and generative capabilities. To further unlock their potential in real-world applications, there is an increasing demand for LLMs to interact with external data, tools, and services (Lin et al., 2025; Hasan et al., 2025). The Model Context Protocol (MCP) has emerged as a universal, open standard for connecting AI agents to diverse resources, facilitating richer and more dynamic task-solving. However, this integration also introduces a broader attack surface: vulnerabilities may arise not only from user prompts (such as prompt injection (Shi et al., 2024)), but also from insecure clients, transport protocols, and malicious or misconfigured servers (Hasan et al., 2025). As MCP-powered agents increasingly interact with sensitive enterprise systems and even physical infrastructure, securing the entire MCP stack becomes critical to prevent data breaches, unauthorized actions, and real-world harm (Narajala & Habler, 2025).