Give Them an Inch and They Will Take a Mile:Understanding and Measuring Caller Identity Confusion in MCP-Based AI Systems

📝 Paper Summary

AI Safety and Security Agentic Middleware

MCP servers frequently cache authorization state without binding it to the caller's identity, allowing malicious remote agents to hijack existing trusted sessions and execute unauthorized commands.

Core Problem

MCP servers decouple agent reasoning from system execution but often implement stateful authorization that fails to distinguish between different callers.

Why it matters:

MCP is becoming a de facto standard ('USB-C of AI applications') for connecting LLMs to backend systems
LLMs are stateless and cannot reliably preserve user identity, leading developers to rely on insecure persistent server-side authorization
A single authorization mistake in middleware allows attackers to execute remote commands or access sensitive files without stealing credentials

Concrete Example: A legitimate user authorizes an MCP server to access a Google Drive. Because the server caches this 'authorized' state globally, a separate malicious agent connecting to the same server can subsequently delete files on that Drive without ever authenticating.

Key Novelty

Caller Identity Confusion & MCPAuthChecker

Identifies 'Caller Identity Confusion': a vulnerability where authorization is bound to the server process rather than the specific agent invoking the tool
Develops a hybrid analysis framework that combines static path analysis (tracking auth checks) with dynamic validation (verifying execution success) to detect this flaw

Evaluation Highlights

46.4% of 6,137 real-world MCP servers analyzed exhibit insecure authorization behavior (missing, cached, or reused)
8 out of 87 widely used open-source MCP projects (>1K stars) contained critical vulnerabilities allowing Remote Command Execution (RCE)
52% of developer-facing MCP servers are insecure, exposing dense execution interfaces to potential hijacking

Breakthrough Assessment

9/10

Exposes a pervasive, fundamental architectural flaw in a rapidly adopting industry standard (MCP). The scale of vulnerability (46%) and impact (RCE) in real-world systems is high.

⚙️ Technical Details

Problem Definition

Setting: Security analysis of Model Context Protocol (MCP) servers

Inputs: Source code of MCP server implementations (JavaScript/TypeScript/Python)

Outputs: Vulnerability report classifying servers as Secure or Insecure (Caller Identity Confusion)

Pipeline Flow

Entry Point Identification (Detect tool/call handlers)
Path-Sensitive Static Analysis (Check for auth logic)
Dynamic Validation (Verify execution outcome)

System Modules

Entry Point Identifier (Static Analysis)

Locate execution-trigger points where protocol-level tool calls commit to concrete execution

Path Analyzer (Static Analysis)

Determine if authorization is explicitly enforced along execution paths leading to sensitive operations

Dynamic Validator

Observe execution outcomes to verify if tool invocations succeed under existing authorization state without re-auth

Modeling

Base Model: Not applicable (Analysis framework, not a trained model)

Compute: Not reported in the paper

Comparison to Prior Work

vs. Android: MCP lacks system-level infrastructure; authorization is decentralized and implementation-dependent
vs. Web Middleware: MCP servers often assume single-user context and lack standardized identity propagation protocols

Limitations

Analysis relies on the availability of server source code or binaries for inspection
Dynamic validation requires the server to be in a runnable state with dependencies met
Does not cover vulnerabilities arising from flaws in the backend systems themselves, only the MCP mediation layer

Reproducibility

No replication artifacts mentioned in the paper. The paper details the logic of 'MCPAuthChecker' but does not provide a repository URL. Vulnerabilities were responsibly disclosed.

📊 Experiments & Results

Evaluation Setup

Large-scale security measurement of open-source MCP servers

Benchmarks:

Real-world MCP Server Corpus (Vulnerability Scanning) [New]
Top-Starred Projects Subset (Manual Security Audit) [New]

Metrics:

Number of insecure servers
Percentage of servers with Caller Identity Confusion
Number of confirmed RCE vulnerabilities
Statistical methodology: Not explicitly reported in the paper

Key Results

Benchmark	Metric	Baseline	This Paper	Δ
Large-scale measurement results quantifying the prevalence of Caller Identity Confusion across the MCP ecosystem.
Real-world MCP Server Corpus	Insecure Servers (Count)	6137	2846	46.4%
Real-world MCP Server Corpus	Insecure Developer Tools (Percentage)	100	52	52%
Detailed audit of high-profile projects reveals critical exploitable vulnerabilities.
Top-Starred Projects Subset	Projects with RCE	87	8	9.2%

Main Takeaways

Caller Identity Confusion is pervasive (46.4% of servers), not isolated to low-quality projects.
Insecure patterns persist across all functional domains, with Developer Tools being the most affected (52%).
The vulnerability enables high-impact attacks including Remote Command Execution (RCE) and unauthorized UI control without requiring credential theft.

📚 Prerequisite Knowledge

Prerequisites

Understanding of the Model Context Protocol (MCP) architecture
Basic concepts of Authentication vs. Authorization
Knowledge of Static Analysis (taint tracking, control flow)

Key Terms

MCP: Model Context Protocol—an open standard interface enabling LLMs to interact with external tools and services

Caller Identity Confusion: A vulnerability where a server executes a request based on a previously established authorization state without verifying the identity of the current caller

RCE: Remote Command Execution—an attack where an adversary can execute arbitrary system commands on a target server

Stateful Authorization: An authorization pattern where access rights are cached in the server's memory after an initial check, rather than verified per request

Path-sensitive analysis: A static analysis technique that explores specific execution paths through code to determine if safety properties (like auth checks) hold along those paths

LLM Agent: An AI system that uses Large Language Models to reason about and execute tasks by calling external tools

Middleware-based Execution: An architecture where an intermediary process (middleware) handles the actual execution of tools requested by an AI model