MCP Tools Need Action-Level Authorization
On May 17, 2026, NVD published CVE-2026-8719 for AI Engine 3.4.9, a WordPress plugin that exposes AI and MCP features to WordPress sites.13
The failure mode should make every MCP builder uncomfortable. Wordfence described a missing WordPress capability check in the MCP OAuth bearer-token authorization path: any valid OAuth token could reach admin-level MCP tools without verifying administrator privileges.2 Wordfence rated the issue 8.8 High and marked version 3.5.0 as the patched release.2 The plugin changelog says version 3.5.0 fixed MCP OAuth authorization and token validation by requiring administrator capability.3
MCP authorization fails when a server treats possession of a bearer token as permission to use every tool. OAuth can prove that a token arrived through an authorization flow. The MCP server still has to decide whether that subject may run that tool, on that resource, with that blast radius.
TL;DR
MCP’s HTTP authorization specification gives builders a necessary foundation: protected resource metadata, OAuth 2.1 flows, bearer-token handling, token validation, audience checks, and explicit 403 Forbidden responses for insufficient scopes or permissions.4 The MCP security tutorial frames authorization as the protection layer for sensitive resources and operations exposed by MCP servers.5 Those mechanics do not remove the application-level authorization decision. A server still has to map the token to a user, role, tenant, tool, resource, action, and policy.
CVE-2026-8719 turns that distinction into a concrete failure. AI Engine added OAuth 2.1 and Dynamic Client Registration for its MCP server in version 3.4.9 on May 12, then patched MCP OAuth authorization and token validation in version 3.5.0 on May 16 by requiring administrator capability.3 The lesson reaches beyond WordPress: every MCP server that can mutate data, publish content, change settings, read private records, spend money, or call privileged APIs needs action-level authorization below the model and below the client.
Tool distribution increases the risk. A May 2026 tool-cloning paper measured 8,861 MCP and Skills repositories with 100,011 tool entries and found high verified clone rates in high-similarity buckets.6 Reused templates can spread good patterns. They can also spread missing checks.
Key Takeaways
For MCP server builders:
- Validate tokens, then authorize the concrete action. Treat those as separate gates.
- Return 401 for invalid or missing tokens and 403 for valid tokens that lack scope or permission.
- Test low-privilege tokens against every admin, write, publish, delete, export, and configuration tool.
For security teams: - Review MCP servers like application endpoints, not chat plugins. - Ask which user, role, tenant, resource, and action each tool call maps to. - Require logs that show token subject, tool name, resource, authorization verdict, and denial reason.
For agent-platform teams: - Marketplace counts do not prove independent implementations. - Similarity and provenance checks matter because cloned tools can copy vulnerable authorization logic. - Treat server templates as security-sensitive infrastructure.
For operators: - Upgrade AI Engine to 3.5.0 or later if you run the affected WordPress plugin.23 - Disable MCP exposure until you know which WordPress roles can reach which tools. - Start every new MCP connection in read-only mode, then widen authority only after tests prove the denial paths.
What Broke In AI Engine
AI Engine markets MCP as a way to connect Claude Code, Claude, ChatGPT, OpenClaw, and other clients to a WordPress site through a URL, sign-in flow, and approval step.3 Version 3.4.9 added OAuth 2.1 with Dynamic Client Registration for the MCP server so browser-driven clients could connect without a shared bearer token.3
That product direction makes sense. Shared static tokens do not fit user-facing MCP integrations. OAuth flows can bind a client, a user, and a server more cleanly than copy-pasted secrets.
The bug sat one layer lower. According to NVD and Wordfence, the vulnerable path accepted any valid OAuth token for MCP access without verifying administrator privilege before granting admin-level MCP tool access.12 The distinction matters:
| Gate | Question | Failure if skipped |
|---|---|---|
| Token validation | Did a valid authorization server issue the token? | Foreign, expired, malformed, or replayed tokens may pass. |
| Subject mapping | Which WordPress user or service account does the token represent? | The server cannot apply user-specific policy. |
| Capability check | Does that subject have the WordPress capability for the requested tool? | Subscriber-level users may reach admin-level tools. |
| Tool authorization | Does the requested MCP tool fit the subject’s allowed actions? | One valid session may become all-tools access. |
| Resource authorization | May the subject touch that post, option, user, file, or site? | Cross-tenant or cross-object access may pass. |
The patch description on the WordPress plugin page uses the right language: MCP OAuth authorization and token validation now require administrator capability, preventing privilege escalation by non-admin users.3 That sentence names the missing layer. A token cannot stand in for a capability check.
OAuth Is Necessary, Not Sufficient
MCP’s authorization spec covers the transport-level flow for HTTP-based transports. The spec says MCP clients make requests to restricted MCP servers on behalf of resource owners, and it anchors the flow in OAuth 2.1, protected resource metadata, authorization server metadata, Dynamic Client Registration, and bearer-token usage.4
Those pieces solve real problems:
| OAuth/MCP mechanism | Problem it addresses |
|---|---|
| Protected resource metadata | Client discovers which authorization server protects the MCP server. |
| Authorization server metadata | Client discovers endpoints and supported auth features. |
| Dynamic Client Registration | New clients can register without hardcoded client IDs. |
| Authorization header bearer token | Client sends credentials in the expected HTTP location. |
| Token validation | Server rejects invalid, expired, wrong-audience, or foreign tokens. |
401 and 403 responses |
Server separates authentication failures from insufficient permission. |
The MCP spec also warns about confused-deputy and token-passthrough risks. MCP servers must validate that presented tokens target the MCP server and must not pass through a token received from the MCP client to upstream APIs.4 That guidance protects the boundary between services.
Action-level authorization protects the boundary inside the MCP server.
An MCP server may expose 10 tools or 100. Some tools read public metadata. Some read private records. Some draft changes. Some mutate production state. Some administer users, plugins, payments, jobs, messages, or infrastructure. A valid token should not automatically reach every tool because the server accepted the session.
The correct chain looks like this:
- Validate token issuer, signature, expiry, audience, and transport rules.
- Resolve the token to a local subject: user, service account, organization, tenant, or automation.
- Load that subject’s role, scopes, grants, budgets, and policy.
- Classify the requested MCP tool by action type and risk.
- Check the target resource, not only the tool name.
- Return
403when the token is valid but the action exceeds authority. - Log the decision with enough detail for review.
OAuth gets the request to the decision point. Authorization decides whether the action belongs.
Tool Calls Need A Permission Matrix
Agent tools make old endpoint habits more dangerous. A normal web route often has a narrow UI path around it. A model-facing tool sits inside a planner. The agent can retry, chain calls, inspect tool descriptions, combine read results with write actions, and carry instructions from untrusted content into later steps.
That behavior changes the minimum permission model. A server should not only ask “can this user access MCP?” The server should ask “can this user perform this action through this tool against this resource right now?”
Use a matrix:
| Dimension | Example question |
|---|---|
| Subject | Which user, role, workspace, or service account owns the token? |
| Tool | Which MCP tool did the agent call? |
| Action | Does the tool read, draft, write, delete, publish, export, administer, or spend? |
| Resource | Which site, post, option, customer, file, repository, wallet, or environment does it touch? |
| Scope | Did the authorization grant include that tool family and action class? |
| Capability | Does the local app role allow the same operation outside MCP? |
| Context | Did the request come from a trusted UI, scheduled job, remote client, or untrusted input path? |
| Budget | Does the action fit rate, size, spend, audience, and time limits? |
| Review | Does the action require human approval or a staging step? |
| Audit | Can a reviewer reconstruct the verdict later? |
That matrix fits the pattern from Agent Keys Need Risk Budgets. Credentials should not behave like all-purpose bearer strings. They should behave like bounded authority objects with server-side limits, activity logs, revocation, and conservative defaults.
It also fits the ownership frame in AI Agent Ownership Is the Trust Primitive. Every privileged tool call should map to a responsible account, session, authority bundle, review path, and stop path.
Cloned Tools Can Copy The Same Missing Check
The AI Engine bug would matter even if every MCP server came from a careful independent implementation. The tool ecosystem does not look that clean.
Kim, Jiang, Hu, Jia, and Gong published a May 10, 2026 paper measuring tool cloning in agentic-AI ecosystems. Their dataset covered 7,508 MCP repositories with 87,564 extracted tools and 1,353 Skills repositories with 12,447 tools, for 8,861 repositories and 100,011 tool entries.6 The authors used token-level Jaccard similarity and ssdeep fuzzy structural similarity, then manually verified sampled pairs across similarity buckets.6
Their abstract reports that 60% of high-Jaccard candidates and 85% of high-ssdeep candidates in the MCP ecosystem were manually verified as clones.6 The paper argues that hidden duplication can contaminate benchmark splits, propagate vulnerable implementations, bias measurements of tool-use generalization, and raise provenance, attribution, and license concerns.6
That finding changes how teams should read MCP marketplace growth. More tools do not automatically mean more independent security review. A repeated server scaffold can give the ecosystem consistency. The same repetition can copy the same weak auth pattern across many packages.
The security review should therefore include provenance:
| Review question | Why it matters |
|---|---|
| Did the MCP server come from a template? | Template bugs can spread across many tools. |
| Which upstream repo or generator produced the auth code? | Review should happen at the source, not only each clone. |
| Does the tool manifest declare dangerous actions? | Operators need to spot write, admin, export, and spend tools before enabling them. |
| Do similar repos share the same auth middleware? | One proof-of-concept may cover a family of tools. |
| Does the marketplace show publisher, version, and patch status? | Users need provenance when a CVE lands. |
Agent Skills Need Package Managers argued for package-style distribution, provenance, and policy around skills. MCP servers need the same discipline, plus runtime authorization tests.
The Minimum Test Suite For MCP Authorization
Every MCP server that touches private or mutable data should ship an authorization test suite. Unit tests that confirm the happy path do not suffice. The dangerous behavior lives in the denial paths.
Start with these cases:
| Test | Expected result |
|---|---|
| Missing token calls protected tool | 401 Unauthorized |
| Expired token calls protected tool | 401 Unauthorized |
| Token for another audience calls protected tool | 401 Unauthorized |
| Valid low-privilege token calls admin tool | 403 Forbidden |
| Valid read-only token calls write tool | 403 Forbidden |
| Valid write token touches another tenant’s resource | 403 Forbidden |
| Valid token calls export tool over size limit | 403 Forbidden or review-required verdict |
| Valid token calls destructive tool without approval state | 403 Forbidden or review-required verdict |
| MCP server receives a client token for upstream API | Server rejects passthrough and uses a separate upstream token flow |
| Denied request appears in audit log | Log includes subject, tool, resource, verdict, and reason |
The exact status code can follow a product’s policy, but the distinction should remain: invalid credentials fail before subject resolution, and valid credentials with insufficient authority fail at the authorization gate. MCP’s spec names 401 for missing or invalid authorization and 403 for invalid scopes or insufficient permissions.4
For WordPress specifically, the same rule becomes sharper: MCP tools that perform admin operations should check the same WordPress capabilities that the dashboard, REST API, or internal PHP path would check. A lower-privilege role should not gain a new path to admin behavior because the call arrived through a model-facing protocol.
What Marketplace Review Should Require
MCP marketplaces and plugin directories should treat authorization metadata as first-class package data. A user deciding whether to enable a server needs more than a tool count.
Minimum public metadata:
| Field | Reason |
|---|---|
| Publisher identity | Users need a responsible maintainer. |
| Source repository | Reviewers need implementation provenance. |
| Generated-from or forked-from | Clone families should be visible. |
| Auth model | API key, OAuth, browser session, local environment, or no auth. |
| Required scopes | Operators need to know what the tool will request. |
| Dangerous actions | Write, delete, publish, export, spend, administer, execute. |
| Resource boundaries | Tenant, workspace, project, account, or local file scope. |
| Audit behavior | Where tool calls and denials appear. |
| Patch status | Which version fixes known CVEs. |
Those fields would not eliminate vulnerable tools. They would make the review surface real. Operators could compare declared authority against actual code, and marketplaces could group similar implementations when a defect appears.
That is the missing bridge between the MCP authorization spec and the tool-cloning paper. The spec tells implementers how to do the protocol-level flow. The ecosystem needs package-level provenance and action-level authorization evidence so repeated implementations do not repeat the same missing checks.
What To Build Instead
Build MCP authorization as a pipeline:
- Protocol gate: verify protected resource metadata, OAuth flow, token placement, token validity, expiry, issuer, and audience.
- Subject gate: map the token to a user, service account, role, tenant, and workspace.
- Tool gate: classify every tool by read, draft, write, delete, publish, export, admin, execute, or spend.
- Resource gate: authorize the exact target object or tenant boundary.
- Budget gate: apply rate, size, spend, audience, and time limits before execution.
- Approval gate: require human or policy approval for high-risk actions.
- Audit gate: record allow, deny, and review-required verdicts in a place operators can inspect.
The gates should sit outside the model. A tool description can tell the agent to avoid admin actions. A prompt can ask for caution. Neither should carry the boundary. The server should reject unauthorized action even when the agent asks politely, confidently, or repeatedly.
Your Agent Sandbox Is A Suggestion makes the same point from another angle: valid permissions can still compose into unsafe behavior. MCP tools need authorization at the action boundary because the agent will compose actions faster than a human can mentally simulate them.
FAQ
Does MCP require OAuth?
No. MCP authorization is optional, and the HTTP authorization specification applies when an implementation supports authorization over HTTP-based transports. The same spec says STDIO transports should retrieve credentials from the environment rather than follow the HTTP OAuth flow.4
Does OAuth solve MCP authorization?
OAuth solves only part of the problem. OAuth can establish an authorization flow, issue tokens, and let a protected MCP server validate bearer tokens. The MCP server still has to decide whether the token subject may perform the specific tool action against the target resource.
What did CVE-2026-8719 prove?
CVE-2026-8719 proved that a valid-token path can still miss local capability enforcement. NVD and Wordfence describe AI Engine 3.4.9 as accepting any valid OAuth token for MCP access without verifying administrator privilege before admin-level MCP tools became reachable.12
What should MCP builders test first?
Test denial paths first: low-privilege token to admin tool, read-only token to write tool, valid token to another tenant’s resource, expired token, wrong-audience token, and destructive tool without approval. Passing happy-path OAuth does not prove action-level authorization.
Why does tool cloning matter for MCP security?
Tool cloning matters because repeated implementations can repeat the same vulnerable middleware, auth shortcuts, and missing checks. The May 2026 tool-cloning paper found high verified clone rates in high-similarity MCP candidates and warned that hidden duplication can propagate vulnerable implementations.6
References
-
National Vulnerability Database, “CVE-2026-8719,” published May 17, 2026. Source for the CVE publication date, affected version 3.4.9, CVSS vector, CWE-269 classification, and missing WordPress capability enforcement in the MCP OAuth bearer-token authorization path. ↩↩↩
-
Wordfence Intelligence, “AI Engine 3.4.9 - Authenticated (Subscriber+) Privilege Escalation via Missing Authorization in MCP OAuth Bearer Token,” publicly published May 16, 2026, last updated May 17, 2026. Source for the CVSS 8.8 High rating, affected version 3.4.9, patched version 3.5.0, and remediation guidance. ↩↩↩↩↩
-
WordPress.org Plugin Directory, “AI Engine - The Chatbot, AI Framework & MCP for WordPress,” accessed May 18, 2026. Source for the plugin’s MCP positioning, OAuth connection language, version 3.4.9 changelog entry adding OAuth 2.1 with Dynamic Client Registration for the MCP server, and version 3.5.0 changelog entry requiring administrator capability for MCP OAuth authorization and token validation. ↩↩↩↩↩↩↩
-
Model Context Protocol, “Authorization,” specification revision 2025-06-18. Source for MCP’s HTTP authorization scope, OAuth 2.1 basis, protected resource metadata, authorization server metadata, bearer-token usage, token validation, audience binding, token-passthrough restriction, confused-deputy discussion, and
401/403authorization error guidance. ↩↩↩↩↩ -
Model Context Protocol, “Understanding Authorization in MCP,” security tutorial, accessed May 18, 2026. Source for the tutorial framing that MCP authorization protects sensitive resources and operations exposed by MCP servers and should restrict access to permitted users. ↩
-
Taein Kim, David Jiang, Yuepeng Hu, Yuqi Jia, and Neil Gong, “Evaluating Tool Cloning in Agentic-AI Ecosystems,” arXiv:2605.09817, submitted May 10, 2026. Source for the dataset counts, similarity-method overview, manually verified clone rates, and risks around benchmark contamination, vulnerable implementation propagation, provenance, attribution, and license concerns. ↩↩↩↩↩↩