A critical vulnerability in Smithery.ai, a popular Model Context Protocol (MCP) server hosting service, exposed over 3,000 AI servers and thousands of API keys to potential attackers.
Security researchers discovered a simple path traversal flaw that enabled unauthorized access to sensitive infrastructure files, compromising administrative credentials and threatening entire AI ecosystems.
The Discovery and Initial Breach
Researchers uncovered the vulnerability while studying Smithery’s hosted servers for a previous project.
The flaw stemmed from improper validation of the dockerBuildPath configuration value in the registry’s build process.
Attackers could manipulate this parameter to reference locations outside the MCP server code repository, effectively accessing arbitrary files on the builder machine’s filesystem.
By setting the build context to a parent directory and using a malicious Dockerfile, researchers exfiltrated sensitive files including Docker authentication credentials.
The compromised .docker/config.json file contained a fly.io authentication token that proved severely overprivileged, granting access far beyond its intended Docker registry permissions.
The stolen fly.io API token provided access to an organization containing more than 3,000 applications, most corresponding to hosted MCP servers.
The token’s excessive privileges allowed attackers to execute arbitrary code on any hosted server through fly.io’s machines API.
Researchers demonstrated this capability by running remote commands with root access on compromised machines.
This level of access created a massive supply chain risk. MCP servers handle authentication secrets for remote resources including databases and APIs.
By controlling these servers, attackers could intercept network traffic and extract API keys sent by clients.
Researchers captured actual client requests containing sensitive credentials like Brave Search API keys, demonstrating how thousands of customers across hundreds of services could be compromised.
The vulnerability was responsibly disclosed and quickly patched, with no evidence of active exploitation discovered. However, the incident highlights critical security challenges in centralized AI infrastructure.
MCP enables AI applications to connect with external tools and data sources, but concentration of servers creates high-value targets where single vulnerabilities can cascade across entire ecosystems.
The attack mirrors previous supply chain incidents like the Salesloft breach, where threat actors exploited centralized credential storage to compromise multiple organizations simultaneously.
Most MCP servers rely on static, long-term API keys rather than OAuth authentication, amplifying potential impact by limiting privilege refinement and extending exploitation timeframes.
Security experts emphasize that organizations must carefully evaluate MCP hosting models and implement proper secrets management practices.
While OAuth isn’t a complete defense against supply chain compromise, proper configuration can significantly reduce incident impact.
As AI infrastructure continues to evolve, the concentration of sensitive credentials in centralized platforms demands heightened security vigilance and adherence to MCP best practices for credential handling and authentication protocols.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
