The tools affected: Claude Code, Cursor, VS Code Copilot, Windsurf, and Gemini-CLI.

Anthropic's response: they declined to patch the flaw, stating the execution model is by design and that sanitization is the developer's responsibility.

For professional services firms using any of these tools with data integrations, that last point matters. The security burden has been explicitly placed on the people building and deploying these tools — and on the firms that use them.

---

What Is MCP and Why Does This Matter

The Model Context Protocol was designed to let AI systems connect to external data sources and tools. Instead of copy-pasting information into an AI chat window, MCP enables AI to read directly from your file system, pull from your calendar, query your CRM, or interact with your billing software.

For professional services firms, this connectivity is what makes AI genuinely useful at the workflow level — rather than just as a writing assistant. An AI agent that can access a client's prior engagement files, current correspondence, and billing history can produce more relevant output with less manual setup.

But connectivity is also exposure. An AI agent that can read all client files, write to your billing system, and access your email is not just a productivity tool. It is a surface area.

The MCP vulnerability means that this surface area can be exploited if a malicious input reaches an MCP-connected server. The execution happens at the server level, before normal validation checks run.

---

Your 3-Step Access Audit

This is the action most professional services firms need to take. It does not require technical expertise. It requires knowing what you've connected.

Step 1: List What Your AI Tools Can Reach

Open whatever AI assistant your team uses most. Ask: what data does this tool have access to?

Check for:

• File system access (which folders or drives)
• Email (read-only, or read-and-send?)
• Calendar (view-only, or modify?)
• CRM or client management system
• Billing or time-tracking software
• Client databases or document management systems

If you're not sure what your AI tool can access, that uncertainty is the finding. Tools that have been integrated with broad permissions and not reviewed since setup are the highest-risk configuration.

Step 2: Restrict to Minimum Necessary Access

The MCP vulnerability is most dangerous when the AI agent has broad access to sensitive data. A Claude integration with read access to a single project folder is a much smaller attack surface than one with access to the entire firm drive, client database, and email.

For each AI tool with data access:

• Review the permissions currently granted
• Remove access to any system the AI doesn't genuinely need for the tasks it performs
• Confirm that client data (files, correspondence, financial records) is only accessible to the AI when specifically needed for a task — not as a background connection that persists across sessions

Most MCP integrations have settings or configuration files that govern access scope. If your AI tool was set up by a developer or IT contractor, have them review and tighten the permissions this week.

Step 3: Update Your MCP SDK if You Have Developer-Built Integrations

If your firm has developers who built or maintain MCP server integrations, have them check for SDK updates:

• Python: mcp SDK on PyPI
• TypeScript/Node.js: @modelcontextprotocol/sdk on npm
• Java and Rust: check the official MCP repository

Mitigation patches for specific attack vectors may have been released since the initial disclosure. The architectural flaw Anthropic declined to fix is a design-level issue, but individual SDK versions may implement input validation that reduces exploitability.

---

Context for Most Small Professional Services Firms

The MCP vulnerability gets significant press because of the scale — 200,000 servers is a large number — but the risk profile varies considerably based on how your firm uses AI.

Lower risk: You use AI in browser-based chat interfaces (Claude.ai, ChatGPT, Copilot in a browser window, Gemini via browser). These interfaces don't run local MCP servers with broad data access. Your data isn't being pulled into the AI session unless you explicitly paste or upload it.

Higher risk: You have implemented AI agents with tool integrations. A Cursor installation that reads your project files and has write access to your codebase. A Claude Code setup that connects to your file system and development environment. Any AI integration built with MCP that grants the AI access to files, databases, or services beyond a narrow scope.

Middle ground: You use AI productivity tools (Copilot in Office, AI features in your document management system) that have been integrated by the software vendor. Here, the vendor's security posture matters more than your configuration — audit your vendor's response to the MCP disclosure if you use such tools.

If you're not sure which category your firm falls into, the Step 1 audit is your starting point.

---

The Broader Security Context

The MCP vulnerability sits alongside a pattern of AI security issues that professional services firms should be tracking as AI adoption expands:

Data leakage through AI sessions. AI tools that process client data in cloud-based sessions can expose that data to vendor logging, model training, and third-party processing depending on the tool's data handling terms. Most enterprise plans (ChatGPT Enterprise, Claude for Enterprise) offer data isolation commitments. Consumer and small business plans often do not. Review the data terms for every AI tool your firm uses with client information.

Prompt injection. AI systems that process external documents (contracts, emails, third-party content) can be manipulated by malicious text embedded in those documents — text designed to cause the AI to take unintended actions. In a firm that uses AI to review client-provided documents, this is a relevant attack surface.

Access creep. AI tools that begin with narrow, appropriate access can accumulate broader permissions as your team adds integrations and use cases. What started as "AI can read our project folder" becomes "AI can access the entire drive and email" over time without deliberate review. The Step 1 audit above is also a defense against access creep.

None of these issues require sophisticated attackers. They require AI tools configured with more access than the task requires, operating on data that is sensitive, without access reviews or logging.

---

The Professional Responsibility Dimension

For law firms and accounting firms, the data security obligation extends beyond operational risk into professional responsibility. Attorneys have confidentiality duties under their bar rules; CPAs have confidentiality duties under IRS Circular 230 and firm engagement agreements.

When AI tools have access to client data — files, correspondence, financial records — the firm's professional responsibility obligations apply to how that data is handled within the AI environment. Granting broad AI access to client data without reviewing the tool's data handling terms and configuring minimum-necessary access is not just an IT risk. It is a potential professional responsibility exposure.

The California Bar's April 2026 discipline cases for AI hallucinations (see related post) establish that bar associations are now in the enforcement business on AI misuse. Data exposure resulting from inadequate AI access controls is a shorter path to a bar complaint than most attorneys appreciate.

---

Your Action This Week

Run the 3-step audit. It takes 30–60 minutes for most small firms.

1. List every system your AI tools can access
2. Restrict access to minimum necessary
3. If you have developer-built MCP integrations, update SDK versions

If you find that your AI tools have broader access than you expected or intended, that's the finding — and tightening those permissions this week is the action. The MCP vulnerability is not a reason to abandon AI tools. It is a reason to know what your AI tools can reach and to configure that access deliberately.

The firms that treat AI access scope as a configuration decision — not a default setting — are the ones that stay on the right side of these disclosures.

---

The Crossing Report covers AI adoption, compliance, and business strategy for professional services firm owners. Published weekly at crossing.one.