MCP Config Swap: How a Name-Only Approval Lets Attackers Swap Your Server's Binary
·5 mins
Fifth article in my MCP security series. Claude Code stores MCP server approvals as plain server names — no hash, no fingerprint, no config verification. Once approved, swapping the server’s command to an arbitrary binary triggers no re-prompt. Reported to Anthropic VDP, closed as Informative (out of threat model). Full technical breakdown.