MCP Dev Summit Seoul 2026

As MCP systems move from single tool use to multi server and multi agent workflows, a key security question appears: when one server calls another on behalf of a user, whose authority is actually used. In this talk I show how chained MCP calls can create a confused deputy scenario where a server unintentionally uses its own higher privileges instead of the user’s limited permissions, leading to privilege escalation and capability leakage. I demonstrate this with a working multi server setup that exposes three concrete failure modes: token scope amplification across calls, server to server impersonation caused by implicit trust, and over delegation of capabilities during orchestration. I then present a practical mitigation based on capability driven design, where each request carries explicit scoped permissions, preserves the caller chain, and is verified at every hop. A prototype implementation shows how these controls block real attack paths while keeping developer experience simple. Finally, I highlight gaps in the current MCP specification and suggest extensions for safer multi agent systems.