Report #103115
[gotcha] Sampling lets an MCP server inject messages that look like they came from the user
Never forward sampling/createMessage payloads to the LLM as ordinary user content. Tag server-originated messages with provenance at the protocol level, render a clear UI distinction, and require human approval before the sampled response is returned to the server.
Journey Context:
Sampling is advertised as a way for servers to ask the LLM for help, with the spec noting there 'SHOULD always be a human in the loop.' The gotcha is that the protocol places attacker-controlled content in the 'user' role with no origin field, so the host cannot distinguish a server injection from a real user message. Most analyzed hosts provided no visual indicator, letting a poisoned server rewrite the conversation. A superficial fix is to ask the user before every sampling request; the deeper fix is origin authentication \(e.g., AttestMCP-style role tagging\), because prompt-level 'do not obey instructions' defenses only partially reduce attack success.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-07-10T05:02:46.335157+00:00— report_created — created