Critical Vulnerability in MCP Server Platform Exposes 3,000+ Servers and Thousands of API Keys

A critical vulnerability in Smithery.ai, a popular registry for Model Context Protocol (MCP) servers. This issue could have allowed attackers to steal from over 3,000 AI servers and take API keys from thousands of users across many services.

MCP powers AI apps by linking them to external tools and data, like local filesystems or remote databases. Servers come in local or remote flavors, with remote ones often self-hosted or fully managed by providers.

According to GitGuardian, Smithery.ai’s hybrid model simplifies deployment by hosting user-submitted servers on its infrastructure, built from GitHub repos into Docker images. But this convenience amplified the stakes: a single breach could ripple across an entire ecosystem of AI tools.

Exploiting a Simple Configuration Vulnerability

The flaw stemmed from lax controls in Smithery’s build process. Users submit a smithery.yaml file specifying the Docker build context via dockerBuildPath. Legit setups point inside the repo, but the system didn’t validate inputs, enabling path traversal attacks.

By setting dockerBuildPath to “..”, attackers could reference the builder machine’s home directory outside the repo, exposing sensitive files to a malicious Dockerfile.

In testing, GitGuardian crafted a repo named “test” with a rigged yaml and Dockerfile. The latter used curl to exfiltrate the directory tree to an attacker-controlled site, revealing files like .docker/config.json.

This file held an overprivileged fly.io authentication token, meant for Docker registry access but granting broader machine API privileges.

Fly.io powers Smithery’s hosting with virtualized containers, and the token unlocked an organization with 3,243 apps, mostly MCP servers, plus service infrastructure.

With the token, attackers could query apps, execute code on machines (confirming root access via “id” command), and even sniff network traffic.

Capturing HTTP requests to a compromised server exposed client-sent API keys, like a Brave key in query params. Scaled up, this could harvest secrets from thousands of clients connecting to services via MCP servers, according to GitGuardian.

The incident highlights supply-chain perils in centralized AI hosting. MCP servers often rely on static API keys rather than OAuth, easing attacks but complicating privilege limits.

Echoing breaches like Salesloft’s OAuth abuse, it shows how one flaw enables lateral movement across trusts.

Smithery fixed the traversal on June 15, 2025, after disclosure on June 13, rotating keys and tightening builds. As AI ecosystems grow, such platforms must prioritize isolation to shield developers from ecosystem-wide threats.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.