## Critical Prompt Injection Gap Found in MCP Tool Execution Pipeline: Untrusted Data Flows Directly to LLM
A newly documented vulnerability in the Model Context Protocol (MCP) tool execution pipeline allows untrusted tool results to enter LLM conversations without sanitization, injection warnings, or structural boundary markers. The issue, filed as a GitHub security concern, details how the `MCPManager.CallTool()` method joins `TextContent` parts into a plain string, which the executor returns unchanged. The agent loop then appends this output directly as a `tool` message, giving no structural signal to the LLM that the content is external and untrusted.

The vulnerability creates an attack surface distinct from previously documented prompt injection vectors. Unlike memory content injection, which requires persistence to a knowledge graph, this flaw operates in real-time. A malicious or compromised MCP server, connector endpoint, or custom YAML tool can return arbitrary text—including instructions disguised as system commands—and the LLM will process them as legitimate conversation content. The report explicitly draws a parallel to an earlier memory injection flaw but notes the current issue expands the exposure window significantly.

The implications extend to any system where third-party MCP servers or custom tool connectors are permitted. An attacker who controls such an endpoint could manipulate LLM behavior, potentially overriding safety instructions or extracting sensitive conversation context. The disclosure does not indicate whether this vulnerability has been exploited in active deployments, but the lack of runtime sanitization represents a structural gap in how tool results are handled. Security reviewers have flagged the issue as requiring immediate architectural attention, particularly for deployments in sensitive or high-trust environments.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: prompt injection, MCP, LLM security, tool sandboxing, AI vulnerability
- **Credibility**: unverified
- **Published**: 2026-05-05 12:31:40
- **ID**: 79461
- **URL**: https://whisperx.ai/en/intel/79461