OWASP Global AppSec EU 2026 Vienna

The OWASP MCP Top 10 identifies the most critical security risks in MCP-enabled ecosystems. At the top of that list sits MCP Top 01: Untrusted Context Injection, a class of vulnerabilities where malicious inputs manipulate the context provided to AI agents, influencing their reasoning and actions.

Unlike traditional vulnerabilities that exploit deterministic code paths, MCP attacks target the decision-making layer of AI systems.

In this session, we explore how attackers can manipulate agent context, poison tool outputs, or inject instructions that cause AI systems to leak sensitive data, perform unintended actions, or bypass security controls.

Through real-world examples and architectural analysis, we will walk through the emerging MCP threat model and discuss defensive patterns organizations must adopt to secure the next generation of agentic AI systems.

The future of application security may depend on securing not just code but the context that AI thinks with.