{"id":"https://openalex.org/W7140310591","doi":"https://doi.org/10.48550/arxiv.2603.22489","title":"Model Context Protocol Threat Modeling and Analyzing Vulnerabilities to Prompt Injection with Tool Poisoning","display_name":"Model Context Protocol Threat Modeling and Analyzing Vulnerabilities to Prompt Injection with Tool Poisoning","publication_year":2026,"publication_date":"2026-03-23","ids":{"openalex":"https://openalex.org/W7140310591","doi":"https://doi.org/10.48550/arxiv.2603.22489"},"language":null,"primary_location":{"id":"doi:10.48550/arxiv.2603.22489","is_oa":true,"landing_page_url":"https://doi.org/10.48550/arxiv.2603.22489","pdf_url":null,"source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":null,"is_accepted":false,"is_published":false,"raw_source_name":null,"raw_type":"Preprint"},"type":"preprint","indexed_in":["datacite"],"open_access":{"is_oa":true,"oa_status":"green","oa_url":"https://doi.org/10.48550/arxiv.2603.22489","any_repository_has_fulltext":true},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5130589298","display_name":"Charoes Huang","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Huang, Charoes","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5130610222","display_name":"Xin Huang","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Huang, Xin","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5010542767","display_name":"Ngoc Phu Tran","orcid":"https://orcid.org/0000-0001-7296-7681"},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Tran, Ngoc Phu","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"last","author":{"id":"https://openalex.org/A5088873940","display_name":"Amin Milani Fard","orcid":"https://orcid.org/0000-0003-0816-0597"},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Fard, Amin Milani","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]}],"institutions":[],"countries_distinct_count":0,"institutions_distinct_count":0,"corresponding_author_ids":[],"corresponding_institution_ids":[],"apc_list":null,"apc_paid":null,"fwci":null,"has_fulltext":false,"cited_by_count":0,"citation_normalized_percentile":null,"cited_by_percentile_year":null,"biblio":{"volume":null,"issue":null,"first_page":null,"last_page":null},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T11424","display_name":"Security and Verification in Computing","score":0.16120000183582306,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T11424","display_name":"Security and Verification in Computing","score":0.16120000183582306,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T12203","display_name":"Mobile Agent-Based Network Management","score":0.15610000491142273,"subfield":{"id":"https://openalex.org/subfields/1705","display_name":"Computer Networks and Communications"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T12479","display_name":"Web Application Security Vulnerabilities","score":0.11219999939203262,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/context","display_name":"Context (archaeology)","score":0.61080002784729},{"id":"https://openalex.org/keywords/vulnerability","display_name":"Vulnerability (computing)","score":0.51910001039505},{"id":"https://openalex.org/keywords/protocol","display_name":"Protocol (science)","score":0.5127000212669373},{"id":"https://openalex.org/keywords/transparency","display_name":"Transparency (behavior)","score":0.49900001287460327},{"id":"https://openalex.org/keywords/threat-model","display_name":"Threat model","score":0.4803999960422516},{"id":"https://openalex.org/keywords/exploit","display_name":"Exploit","score":0.4481000006198883},{"id":"https://openalex.org/keywords/intrusion-detection-system","display_name":"Intrusion detection system","score":0.43130001425743103},{"id":"https://openalex.org/keywords/key","display_name":"Key (lock)","score":0.39010000228881836},{"id":"https://openalex.org/keywords/honeypot","display_name":"Honeypot","score":0.3894999921321869},{"id":"https://openalex.org/keywords/metadata","display_name":"Metadata","score":0.38179999589920044}],"concepts":[{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.7265999913215637},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.7206000089645386},{"id":"https://openalex.org/C2779343474","wikidata":"https://www.wikidata.org/wiki/Q3109175","display_name":"Context (archaeology)","level":2,"score":0.61080002784729},{"id":"https://openalex.org/C95713431","wikidata":"https://www.wikidata.org/wiki/Q631425","display_name":"Vulnerability (computing)","level":2,"score":0.51910001039505},{"id":"https://openalex.org/C2780385302","wikidata":"https://www.wikidata.org/wiki/Q367158","display_name":"Protocol (science)","level":3,"score":0.5127000212669373},{"id":"https://openalex.org/C2780233690","wikidata":"https://www.wikidata.org/wiki/Q535347","display_name":"Transparency (behavior)","level":2,"score":0.49900001287460327},{"id":"https://openalex.org/C140547941","wikidata":"https://www.wikidata.org/wiki/Q7797194","display_name":"Threat model","level":2,"score":0.4803999960422516},{"id":"https://openalex.org/C165696696","wikidata":"https://www.wikidata.org/wiki/Q11287","display_name":"Exploit","level":2,"score":0.4481000006198883},{"id":"https://openalex.org/C35525427","wikidata":"https://www.wikidata.org/wiki/Q745881","display_name":"Intrusion detection system","level":2,"score":0.43130001425743103},{"id":"https://openalex.org/C26517878","wikidata":"https://www.wikidata.org/wiki/Q228039","display_name":"Key (lock)","level":2,"score":0.39010000228881836},{"id":"https://openalex.org/C191267431","wikidata":"https://www.wikidata.org/wiki/Q911932","display_name":"Honeypot","level":2,"score":0.3894999921321869},{"id":"https://openalex.org/C93518851","wikidata":"https://www.wikidata.org/wiki/Q180160","display_name":"Metadata","level":2,"score":0.38179999589920044},{"id":"https://openalex.org/C739882","wikidata":"https://www.wikidata.org/wiki/Q3560506","display_name":"Anomaly detection","level":2,"score":0.37290000915527344},{"id":"https://openalex.org/C26713055","wikidata":"https://www.wikidata.org/wiki/Q245962","display_name":"Implementation","level":2,"score":0.3560999929904938},{"id":"https://openalex.org/C108759981","wikidata":"https://www.wikidata.org/wiki/Q788590","display_name":"Authorization","level":2,"score":0.33880001306533813},{"id":"https://openalex.org/C2778062554","wikidata":"https://www.wikidata.org/wiki/Q3404031","display_name":"Security community","level":2,"score":0.3294999897480011},{"id":"https://openalex.org/C192209626","wikidata":"https://www.wikidata.org/wiki/Q190909","display_name":"Focus (optics)","level":2,"score":0.3208000063896179},{"id":"https://openalex.org/C38822068","wikidata":"https://www.wikidata.org/wiki/Q131406","display_name":"Denial-of-service attack","level":3,"score":0.3052999973297119},{"id":"https://openalex.org/C121822524","wikidata":"https://www.wikidata.org/wiki/Q5157582","display_name":"Computer security model","level":2,"score":0.3043000102043152},{"id":"https://openalex.org/C187191949","wikidata":"https://www.wikidata.org/wiki/Q1138496","display_name":"Profiling (computer programming)","level":2,"score":0.3003000020980835},{"id":"https://openalex.org/C33884865","wikidata":"https://www.wikidata.org/wiki/Q1254335","display_name":"Cryptographic protocol","level":3,"score":0.2994999885559082},{"id":"https://openalex.org/C2778553114","wikidata":"https://www.wikidata.org/wiki/Q1035293","display_name":"Database security","level":2,"score":0.2953000068664551},{"id":"https://openalex.org/C92446256","wikidata":"https://www.wikidata.org/wiki/Q3306762","display_name":"Data validation","level":2,"score":0.28940001130104065},{"id":"https://openalex.org/C527648132","wikidata":"https://www.wikidata.org/wiki/Q189900","display_name":"Information security","level":2,"score":0.2858000099658966},{"id":"https://openalex.org/C2775941552","wikidata":"https://www.wikidata.org/wiki/Q25212305","display_name":"Isolation (microbiology)","level":2,"score":0.28540000319480896},{"id":"https://openalex.org/C137822555","wikidata":"https://www.wikidata.org/wiki/Q2587068","display_name":"Information sensitivity","level":2,"score":0.28529998660087585},{"id":"https://openalex.org/C126831891","wikidata":"https://www.wikidata.org/wiki/Q221673","display_name":"Host (biology)","level":2,"score":0.2833000123500824},{"id":"https://openalex.org/C182590292","wikidata":"https://www.wikidata.org/wiki/Q989632","display_name":"Network security","level":2,"score":0.2806999981403351},{"id":"https://openalex.org/C33762810","wikidata":"https://www.wikidata.org/wiki/Q461671","display_name":"Data integrity","level":2,"score":0.2793999910354614},{"id":"https://openalex.org/C93996380","wikidata":"https://www.wikidata.org/wiki/Q44127","display_name":"Server","level":2,"score":0.2728999853134155},{"id":"https://openalex.org/C154908896","wikidata":"https://www.wikidata.org/wiki/Q2167404","display_name":"Security policy","level":2,"score":0.2711000144481659},{"id":"https://openalex.org/C97686452","wikidata":"https://www.wikidata.org/wiki/Q7604153","display_name":"Static analysis","level":2,"score":0.2694999873638153},{"id":"https://openalex.org/C2779965156","wikidata":"https://www.wikidata.org/wiki/Q5227350","display_name":"Data sharing","level":3,"score":0.2581000030040741},{"id":"https://openalex.org/C165136773","wikidata":"https://www.wikidata.org/wiki/Q1363179","display_name":"Single point of failure","level":2,"score":0.25540000200271606},{"id":"https://openalex.org/C47487241","wikidata":"https://www.wikidata.org/wiki/Q5227230","display_name":"Data access","level":2,"score":0.25360000133514404}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.48550/arxiv.2603.22489","is_oa":true,"landing_page_url":"https://doi.org/10.48550/arxiv.2603.22489","pdf_url":null,"source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":null,"is_accepted":false,"is_published":null,"raw_source_name":null,"raw_type":"Preprint"}],"best_oa_location":{"id":"doi:10.48550/arxiv.2603.22489","is_oa":true,"landing_page_url":"https://doi.org/10.48550/arxiv.2603.22489","pdf_url":null,"source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":null,"is_accepted":false,"is_published":false,"raw_source_name":null,"raw_type":"Preprint"},"sustainable_development_goals":[],"awards":[],"funders":[],"has_content":{"pdf":false,"grobid_xml":false},"content_urls":null,"referenced_works_count":0,"referenced_works":[],"related_works":[],"abstract_inverted_index":{"The":[0],"Model":[1],"Context":[2],"Protocol":[3],"(MCP)":[4],"has":[5,193],"rapidly":[6],"emerged":[7],"as":[8],"a":[9,128,164,186],"universal":[10],"standard":[11],"for":[12,206],"connecting":[13],"AI":[14,27,208],"assistants":[15],"to":[16,155],"external":[17],"tools":[18],"and":[19,29,65,81,92,112,138,159,179,199,203],"data":[20],"sources.":[21],"While":[22],"MCP":[23,50,79,86,135,190],"simplifies":[24],"integration":[25],"between":[26],"applications":[28],"various":[30],"services,":[31],"it":[32],"introduces":[33],"significant":[34,147],"security":[35,148],"vulnerabilities,":[36,198],"particularly":[37],"on":[38,122,196],"the":[39,109],"client":[40],"side.":[41],"In":[42],"this":[43,123],"work":[44],"we":[45],"conduct":[46],"threat":[47],"modelings":[48],"of":[49,60,63,131],"implementations":[51],"using":[52],"STRIDE":[53],"(Spoofing,":[54],"Tampering,":[55],"Repudiation,":[56],"Information":[57],"Disclosure,":[58],"Denial":[59],"Service,":[61],"Elevation":[62],"Privilege)":[64],"DREAD":[66],"(Damage,":[67],"Reproducibility,":[68],"Exploitability,":[69],"Affected":[70],"Users,":[71],"Discoverability)":[72],"frameworks":[73],"across":[74],"five":[75],"key":[76],"components:":[77],"(1)":[78],"Host":[80],"Client,":[82],"(2)":[83],"LLM,":[84],"(3)":[85],"Server,":[87],"(4)":[88],"External":[89],"Data":[90],"Stores,":[91],"(5)":[93],"Authorization":[94],"Server.":[95],"This":[96,183],"comprehensive":[97],"analysis":[98,145],"reveals":[99,146],"tool":[100,107,141],"poisoning-where":[101],"malicious":[102],"instructions":[103],"are":[104],"embedded":[105],"in":[106,189],"metadata-as":[108],"most":[110,151],"prevalent":[111],"impactful":[113],"client-side":[114],"vulnerability.":[115],"We":[116,162],"therefore":[117],"focus":[118],"our":[119],"empirical":[120],"evaluation":[121],"critical":[124,187],"attack":[125],"vector,":[126],"providing":[127],"systematic":[129],"comparison":[130],"how":[132],"seven":[133],"major":[134],"clients":[136,153],"validate":[137],"defend":[139],"against":[140],"poisoning":[142],"attacks.":[143],"Our":[144],"issues":[149],"with":[150],"tested":[152],"due":[154],"insufficient":[156],"static":[157,169],"validation":[158],"parameter":[160],"visibility.":[161],"propose":[163],"multi-layered":[165],"defense":[166],"strategy":[167],"encompassing":[168],"metadata":[170],"analysis,":[171],"model":[172],"decision":[173],"path":[174],"tracking,":[175],"behavioral":[176],"anomaly":[177],"detection,":[178],"user":[180],"transparency":[181],"mechanisms.":[182],"research":[184],"addresses":[185],"gap":[188],"security,":[191],"which":[192],"primarily":[194],"focused":[195],"server-side":[197],"provides":[200],"actionable":[201],"recommendations":[202],"mitigation":[204],"strategies":[205],"securing":[207],"agent":[209],"ecosystems.":[210]},"counts_by_year":[],"updated_date":"2026-07-01T06:00:48.157686","created_date":"2026-03-26T00:00:00"}
