MCPHunt: first benchmark measuring credential leakage across trust boundaries in multi-server MCP agents — rates of 11.5–41.3%

Researchers have introduced MCPHunt, the first controlled benchmark designed to isolate unintentional credential leakage across trust boundaries in multi-server MCP agent systems. MCP (Model Context Protocol) is an open standard that allows LLMs to access external tools and data via multiple independent servers; the problem arises when a combination of read and write tools — each with legitimate permissions — inadvertently transfers sensitive data from one context to another.

What does MCPHunt measure?

MCPHunt measures credential propagation that violates redaction policy, even when an agent at any individual level is acting within its assigned permissions. The benchmark covers 3,615 main evaluation traces across 5 different models, 147 scenarios, and 9 mechanism families through which data can be unintentionally moved.

The central metric is the rate of “policy-violating propagation” — how often an agent transfers a credential across a trust boundary despite existing redaction options or safer alternatives. Results show a range of 11.5–41.3% depending on the model, with the highest concentration of violations in browser-mediated data flows, where an agent fetches a page and forwards the result to another server.

How do the controls work?

Three methodological pillars give the benchmark objectivity:

1. Canary-based taint tracking reduces leakage detection to exact string matching — an agent that passes a marked canary token across a boundary is recorded without subjective judgment.
2. Environment-controlled coverage combines risky, benign, and hard-negative scenarios to eliminate false positives and validate pipeline integrity.
3. CRS stratification (Credential Routing Stratification) separates propagation that is necessary for task execution from that which violates policy — without this separation, fair model comparisons are impossible.

How much do prompt-based defenses help?

Prompt-based mitigations achieve up to 97% reduction in violations while retaining 80.5% utility — an apparently strong result. But the authors immediately qualify the finding: effectiveness strictly correlates with the model’s instruction-following capability, meaning weaker models remain vulnerable even with the same mitigation prompt.

Hard-negative controls show that leakage does not require production credential format — a prompt-driven cross-boundary data flow is sufficient to transfer a value, confirming that the vulnerability is structural, not implementation-specific. The paper’s conclusion is clear: prompt-level defenses alone are insufficient; mechanical controls at the protocol and runtime level are needed that physically prevent unauthorized data paths.

Why does this matter?

MCP became the de facto standard in 2025 and 2026 for connecting LLM agents to tools — from knowledge bases to email clients to CI/CD systems. Every new MCP server expands the attack surface. MCPHunt is the first to quantify a system that until now had no standardized security metric, and opens the door for tools that will protect analysts before agentic workflows become the dominant integration method.