TL;DR: Server-side request forgery (SSRF) and token passthrough are old web vulnerabilities in new packaging. In an MCP server, a single mishandled URL can turn into RCE on a developer's laptop or a foothold inside a cloud account. This post walks three recent case studies for an mcp-atlassian CVE chain, Microsoft's MarkItDown SSRF, and the marketplace-plugin flaw in OpenClaw. As a closer, mitigat...
