As artificial intelligence becomes more deeply embedded in business operations, a new kind of cybersecurity risk is emerging—one that targets the connections around AI, not the models themselves. Researchers at JFrog have uncovered a serious vulnerability known as “prompt hijacking” in the Model Context Protocol (MCP), a system designed to help AI interact with real-world data and tools.
A New Security Blind Spot for Connected AI
Businesses are increasingly integrating AI assistants directly with company data, software, and internal systems to make them more useful and responsive. But while this integration brings efficiency, it also opens new attack surfaces. The latest research suggests that attackers can exploit weak points in the way AI models communicate via MCP—raising concerns for CIOs, CISOs, and AI engineers.
Unlike traditional AI attacks that target the model itself, this vulnerability affects the infrastructure connecting AI to external data sources. In simple terms, hackers can hijack the conversation between an AI assistant and its connected tools, manipulating responses or injecting malicious code.
How MCP Prompt Hijacking Works
The MCP protocol, originally developed by Anthropic, was created to allow AI systems to securely access and use local files, code, or online resources. However, JFrog’s analysis found a flaw in the Oat++ MCP implementation (tracked as CVE-2025-6515) that could let attackers impersonate legitimate users.
Here’s how it happens:
When an AI assistant communicates via MCP, it opens a session identified by a session ID. In the flawed version of Oat++ MCP, these IDs were generated using memory addresses, which are not unique or secure. Because computers often reuse memory addresses, a skilled attacker can predict or reuse them—essentially “spoofing” a user session.
Once the attacker gains a valid session ID, they can send fake requests that appear legitimate. For example, instead of recommending a trusted Python library like Pillow, the AI could be tricked into suggesting a malicious package designed to steal data or compromise systems. This isn’t a theoretical risk—it’s a direct threat to the software supply chain and to the trust users place in AI recommendations.
Why It Matters
This flaw highlights a growing concern: AI systems are only as secure as the protocols that connect them. Even if an AI model is safe, the “pipes” carrying data in and out of it may not be. JFrog’s findings serve as a reminder that AI infrastructure security must extend beyond model integrity to include session management, middleware, and network design.
Any organization using oatpp-mcp with HTTP Server-Sent Events (SSE) in a network accessible to attackers could be at risk of exploitation.
How Organizations Can Protect Themselves
JFrog’s report offers several critical takeaways for AI and cybersecurity teams:
- Strengthen session management. Servers should generate cryptographically secure session IDs using random generators—not memory addresses or sequential values.
- Harden client defenses. Client applications should reject unexpected or mismatched session events and use non-predictable event identifiers.
- Adopt zero-trust principles for AI pipelines. Security validation shouldn’t stop at the model layer—teams need to secure every protocol, middleware, and communication channel the AI uses.
A Wake-Up Call for AI Security
This discovery serves as a clear warning: familiar cybersecurity problems like session hijacking are reappearing in the AI era, but in new forms. As companies rush to integrate AI more deeply into their workflows, protecting not just the model but also the data streams and connections around it will be essential.
Ryan Daws
The MCP prompt hijacking case shows that innovation in AI must go hand-in-hand with robust, modern security practices—because even the smartest assistant can be misled if its communication channels aren’t protected.
