{"ave_id":"AVE-2026-00002","schema_version":"0.2.0","component_type":"mcp","title":"MCP tool description behavioral injection","attack_class":"Prompt Injection - Tool Description","description":"An MCP server embeds behavioral instructions in tool description fields that are read by the agent during tool discovery. The agent treats these instructions as authoritative context, causing it to follow attacker-controlled directives. This attack fires before any tool is called, at the moment the agent reads the tool manifest.","affected_platforms":["claude-desktop","cursor","windsurf","any-mcp-client"],"affected_registries":["smithery.ai","glama.ai","mcp-registry"],"aivss_score":7.3,"cvss_base_vector":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:H/VA:N/SC:L/SI:H/SA:N","owasp_mapping":["ASI01","ASI03"],"owasp_mcp":["MCP03","MCP10"],"nist_ai_rmf_mapping":["MAP-1.5","MEASURE-2.5"],"mitre_atlas_mapping":["AML.T0054"],"behavioral_fingerprint":"MCP tool description field contains directives targeting agent behavior rather than describing tool functionality.","behavioral_vector":["tool-poison","prompt-injection","mcp-description"],"mutation_count":23,"detection_methodology":"1. Static scan: search for patterns matching this attack class using bawbel-scanner.\n2. Semantic analysis: LLM engine flags behavioral directives in component content.\n3. Behavioral sandbox: monitor agent behavior during initialization for unexpected actions.","indicators_of_compromise":["Tool description contains directives like IMPORTANT, WARNING, NOTE targeting the agent","Tool description contains \"before using this tool\", \"before calling this tool\", or similar","Tool description contains instructions to ignore previous context or override system instructions","Tool description length significantly exceeds what is needed to describe tool functionality"],"aivss":{"cvss_base":8.7,"aarf":{"autonomy":1.0,"tool_use":1.0,"multi_agent":0.5,"non_determinism":1.0,"self_modification":0.5,"dynamic_identity":0.5,"persistent_memory":0.0,"natural_language_input":1.0,"data_access":0.5,"external_dependencies":0.0},"aars":6.0,"thm":1.0,"mitigation_factor":1.0,"aivss_score":7.3,"aivss_severity":"HIGH","spec_version":"0.8","owasp_mcp_mapping":["MCP03","MCP10"],"notes":"AARF scores reflect typical mcp deployment in agentic workflows. See SPEC.md for factor definitions."},"remediation":"1. Remove or replace the MCP server.\n2. Review all tool calls made while the server was connected.\n3. Audit agent output for signs of behavioral changes matching the injected instructions.\n4. Report the server to the registry operator.","status":"active","kill_switch_active":false,"researcher":"Bawbel Security Research Team","researcher_url":"https://bawbel.io","published":"2026-04-01T09:00:00Z","last_updated":"2026-05-12T00:00:00Z","references":["https://owasp.org/www-project-top-10-for-large-language-model-applications/","https://aivss.owasp.org","https://github.com/bawbel/ave"],"piranha_url":"https://api.piranha.bawbel.io/records/AVE-2026-00002","severity":"HIGH"}