Security Audit Flags Critical Communication Flaws in MCP Infrastructure: Plaintext Identity Headers, Zero Network Isolation
An internal security review of the MCP platform's in-cluster communication has identified critical architectural vulnerabilities in its proxy infrastructure. The audit, labeled alpha-stage hardening work, reveals that the gateway component can be bypassed entirely, allowing any pod within the cluster to reach MCP servers while injecting arbitrary identity headers. The findings represent a fundamental trust misconfiguration in the platform's service-to-service communication layer.
The most severe issue, labeled C1, stems from the MCP proxy using plain `http.DefaultTransport` for upstream calls at lines 166-167 of `services/mcp-proxy/main.go`, with identity forwarded as unencrypted headers (lines 765-784). This design assumes all cluster pods are trusted, without independent verification. A second critical finding, C2, documents zero NetworkPolicy resources anywhere in the repository—a search across all YAML files returned no matches for `kind: NetworkPolicy`. The absence of namespace-level traffic restrictions means lateral movement within the cluster remains unconstrained. The audit specifically flags the `mcp-sentinel`, `mcp-runtime`, and `mcp-serv` namespaces as lacking isolation controls.
The implications extend beyond the documented vulnerabilities. The platform's current architecture operates on an implicit inside-the-perimeter trust model, rather than zero-trust principles. Without mTLS or HMAC-signed identity headers between the gateway and upstream services, any compromised pod or credentialed insider could impersonate legitimate service identities. The lack of documented NetworkPolicies suggests no enforcement layer exists to limit pod-to-pod communication—critical for MCP servers that may handle sensitive data or operations. Items warranting coordinated disclosure are being moved to private GitHub Security Advisories, indicating the team recognizes disclosure-sensitive elements in the full findings.