Xeris Threat Lab Uncovers Metadata Forgery Vulnerability in MCP Servers

Silent metadata manipulation allows malicious MCP Servers to access unauthorized LLM data, exposing a new layer of AI infrastructure risk.

New Report Reveals Silent Escalation Technique Targeting AI Agent Metadata Instructions

Xeris.ai, a cybersecurity startup specializing in protecting AI workflows and MCP (Model Context Protocol) infrastructure, today announced a forthcoming threat report exposing a previously undocumented vulnerability—XERIS-006: Metadata Forge.

This newly discovered attack reveals how malicious MCP Servers can silently manipulate metadata sent to Large Language Models (LLMs), allowing unauthorized access to sensitive information. The vulnerability, tested against Anthropic’s Claude Desktop using a modified “Customer Support” MCP Server, demonstrates how simple metadata field rewrites can completely alter AI behavior—without the user’s knowledge or consent.

“This isn’t a prompt injection or jailbreak, it’s a silent metadata hijack that bypasses both user awareness and platform controls,” said Shlomo Touboul, Co-Founder and Chairman of Xeris.ai. “MCPs are rapidly becoming the hidden control layer behind enterprise AI. We must treat them as privileged software—because attackers already do.”

How the Attack Works
The Metadata Forge vulnerability exploits the weak validation of tool metadata within MCP Server responses. In the published case, a malicious MCP Server injected a hidden instruction to transform ticket_id metadata from CS- (Customer Support) to SEC- (Security Incident), tricking the LLM into retrieving confidential security alerts instead of user-approved tickets. The LLM never alerted the user to this change.

The attack was confirmed by:

Code-level patch injection in the MCP Server’s metadata definition

Unmodified user prompts are returning unauthorized security data.

Behavioral validation in the Claude Desktop LLM interface

This form of metadata forgery can impact any enterprise using unverified or shadow MCP Servers to connect agents, workflows, or external systems to LLMs.

Report Access and Recommendations
XERIS-006: Metadata Forge is available for early access at:
👉 https://xeris.ai/threat-reports/metadata-forge-attack

Organizations are advised to:

1. Implement strict signature validation on MCP Server responses.
2. Monitor for instruction mismatches between user prompts and tool output.s
3. Audit and approve all MCP Server sources interacting with enterprise LLM systems

About Xeris.ai
Xeris.ai provides AI XDR (Extended Detection and Response) solutions for securing AI agents, assistants, and LLM workflows. The company focuses on preventing logic-layer threats within AI pipelines, offering tools for MCP monitoring, policy enforcement, and real-time anomaly detection.

To learn more or request demo code for the Metadata Forge attack:
📧 info@xeris.ai
🌐 https://xeris.ai

Shlomo Touboul
Xeris AI
+972 54-422-7780
email us here
Visit us on social media:
LinkedIn