MCP Ancestor Injection: How a .mcp.json in /tmp/ Hijacks Your Claude Code Session
·7 mins
Third article in my MCP security series. Claude Code’s .mcp.json discovery walks from CWD to filesystem root with no boundary check and no file ownership verification. On multi-user Linux systems, any user can drop /tmp/.mcp.json to inject MCP servers into another user’s Claude Code session. Not reported to Anthropic — here’s why, and the full technical breakdown.