Claude-Code

MCP Config Swap: How a Name-Only Approval Lets Attackers Swap Your Server's Binary

5 March 2026·5 mins

Vulnerability Research Bug Bounty Mcp Claude-Code Supply-Chain Vulnerability-Research Bug-Bounty

Fifth article in my MCP security series. Claude Code stores MCP server approvals as plain server names with no hash, no fingerprint, and no config verification. Once approved, swapping the server’s command to an arbitrary binary triggers no re-prompt. Reported to Anthropic VDP, closed as Informative (out of threat model). Full technical breakdown.

MCP Ancestor Injection: How a .mcp.json in /tmp/ Hijacks Your Claude Code Session

3 March 2026·7 mins

Vulnerability Research Bug Bounty Mcp Claude-Code Path-Traversal Vulnerability-Research Bug-Bounty

Third article in my MCP security series. Claude Code’s .mcp.json discovery walks from CWD to filesystem root with no boundary check and no file ownership verification. On multi-user Linux systems, any user can drop /tmp/.mcp.json to inject MCP servers into another user’s Claude Code session. Not reported to Anthropic. Here’s why, and the full technical breakdown.

↑